Wavesplatform (WAVES) Security Audit Confirms Some of Centralization/Security Concerns + Summary

5 months ago
49 in bitshares

Waves platform is a better known decentralized exchange with some neat tech like Waves-NG and LPOS.

I'll give summary of security issues in Waves and where new report is applicable.

New audit report: https://research.kudelskisecurity.com/2017/10/10/audit-report-of-the-waves-platform/

No significant consensus issues for the most part, so tech wise consensus level is acceptable.

1. Centralized order matching

This badly made graphic from April summarized the problem in only few words in red.

image link, blog link

Order matching is centralized.

There can be more than one matching node, but matching is not subject to consensus rules. Each individual order matching node is thus centralized for orders it takes, a trusted party, and a security vulnerability.

This obviously enables DDOS attacks if desired on individual points, possibly targeting the order matching node of your choosing.

Several DoS attacks is what the report confirmed:

Most obvious one is

image link


image link

Note the number of attacks and proposed solutions are subjective:

A solution is not straightforward
weak mitigation

And since it's not consensus based

rate-limiting ... based on measurements of previous activity

is best they can do which is literally what DoS is done to accomplish

This also enables node operator to do front-running on orders, something centralized exchanges or brokers can do.
Investopedia on Front Running

In simplest terms imagine being able to see a buy order, place your own first at current price, let 3rd party order go through increasing the price, and then selling at higher price.

Note the report shows several ways orders can be attacked by third party (a new issue), but doesn't look at malicious node angle. The report also mostly focuses on protocol and not knowing centralized matchers address and attacking through regular network DDOS.

Waves is not decentralized.

Likely used because they are using centralization because they are unable to reach the rare high speeds (e.g.) that would make on-chain public orderbook feasible. More on speed later.

2. Censorship by company in charge

Centralized governance

Wavesplatform can do both as well: premine 100% of coins, kept 15% and sold 85%.

It's important because Ethereum bailout demonstrated how much power developers in charge have that makes it impossible to disagree with their decisions. Specifically having full control over centralized funds from ICO let the developers refuse to update or fund development on any fork they disagree with. Furthermore, the premined coins kept were used to attack the value of the other coins on exchanges. Since platform control and security is based on financial incentives, ability to take those actions prevents dissent from leadership. (bailout summary)

Centralized governance is a security vulnerability that can be easly exploited by those in charge, or externally via litigation, pressure, threats, and so on. (Simple example) Being based in Russia doesn't make it any better.

Demonstrated token censorship: Delistings

Someone on 4chan created a coin with a racist term that got attention. So this "decentralized" exchange delisted it.


Image not embedded so it's not offending anyone b/c distracts from real issue.
image link (warning, might be offensive, not mine)

The unknown reason (PR, political pressure, ..) - doesn't matter.
Same as with eth, content itself doesn't matter, ability to do this without voting in main codebase matters.

While some supporters claim the white paper suggested this could happen, Reddit user summarized the deception:

image link

Alternative matcher proposed do not work for me now while testing them. The mechanism for delisting is different from approval of tokens as unapproved tokens can still be found as light gray options on exchange page.

Waves is not decentralized.

3. Misleading marketing

These people get paid extremely well thanks to ICO, so you'd expect they do the research necessary and make accurate statements on state of the art. Marketing seems either misleading for financial gain or just comes from research incompetence. First implies fraud. Latter implies not knowing anything about the biggest & earlier project similar to their own.

Exaggerated claims of high speed. Not so.

Lets start with speed issue and why they resort to centralized order-matching.

Waves advertised up to 1,000 tx/sec. The phrasing implies peak speed on demand, not any number below 1000 might be the limit.

Now, with a new planned upgrade in future called Waves-NG they advertise to be able to do 100s of transactions per second. (PR @ Wavesplatform) meaning it couldn't do it before and exaggerated. When it does go live, the theoretical high finally will reach promised 1000 tx/sec (source) but not even close to what the main-net ntework is doing.

Lying about competition

They claim Waves-NG will be the fastest in existence at 100s of tx/sec. Seriously.

image link

That should've already sounded like b.s. to anyone who knows cryptocurrencies.

Bitshares, STEEM, few others (dPoS) = 100,000 tx/sec.

That's not all: XMR (adj blocksize), NEM (poi), NEO (dBFT), Lisk (slower dPoS), hell even DGB (increasing blocksize) and XRP (channels) can do that. They did beat NXT they are based on which only showed 100 tps.

They know this.

Lying about Bitshares

This will sound like shilling, but Bitshares has done already pretty much everything & better than what Waves hopes to do. I don't know how to phrase this more objectively.

Compare: Bitshares Summary & Waves roadmap.

I can only assume this causes them to market falsely in all these scenarios like lying about properties of Bitshares.

See Waves FAQ.

Partially subjective, but they attack DPOS on security. Security wise, LPOS of WAVES offers no advantages over PoS while DPOS solves by design majority of PoS security problems as seen in the Bitfury's 2015 report on "Proof of Stake vs Proof of Work"
(PDF http://bitfury.com/content/5-white-papers-research/pos-vs-pow-1.0.2.pdf)
Furthermore, in contrast on decentralization, WAVES was premined and they control centralized funding, while Bitshares was distributed with PoW to anyone with a computer and airdrops, no ICO. Additionally, Bitshares is funded and controlled by all BTS holders via a DAO since 2014 with a treasury that's filled by fees. (e.g. current UI and core devs are funded from treasury).

By leasing coins w/o additional nodes, WAVES LPOS took all the security issues of PoS mentioned in the report and then added a centralization of validators issue we see in mining. dPoS rejected its earlier single witness delegation and switched to approval voting of 33 witnesses per account to make it more difficult for large stake holder to get a spot, something LPOS would still suffer from. Secondary precaution is dPoS enforces equal weight to all active witnesses, no weighting. These efforts to break Pareto principle not seen here. Lets compare who validates transactions on each by power:

image link (edit: added more coins)

Waves has no place talking about decentralization. Additionally, while PoS only requires 51% (possibly 1/3 depending on luck) to cause double spends, dPoS requires 2/3 of witnesses + 1 to collude and under risk of losing vested salary, possibly for the rest of time, after malicious witnesses are fired. Why did they do it? To get more speed, and apparently not much. (Number of nodes reduces block orphaning and accidental splits so leasing helps reduce nodes.)

Can't tell if they did no reading on the topic as they refer to openledger, a 3rd party business, as the blockchain.

Then they claim its based on "market peg" idea when their entire business is based on gateways, custom tokens, and ICO's just like Waves but since 2014. Their innovative different idea is custom easy to make tokens? So basically this on bitshares since 2014?

In fact, Bitshares plan is based around unlimited third parties launching their own gateways instead of having to make an entire new exchange from scratch. Some of the gateways are mentioned here. Bitshares blockchain has no company in charge other than the very first DAO and doesn't actually control any of the gateways.

In contrast, Waves only has 1 official centralized gateway per coin controlled entirely by their company's permission.

Here's main issue: they are lying about how smart coins like BitUSD work while offering no trustless alternative.

image link

Their centrally authorized gateway offers trusted gateway backed coin no different from, for example, openledger gateway's open.USD.

"if everyone thinks something is worth 1 USD" - that's not how it works at all. (How it works)

Simplest example: at any moment anyone with 10 bitUSD can hit a settle button in their account and get exactly $10 worth in BTS.

The coins are literally pegged in value this way with real collateral stored safely with the blockchain smart contracts. There's no belief required. Steem Backed Dollar (SBD) works in almost same way. Good enough for Bitspark's UN project.

Advertising "Smart Contracts" on level of Bitcoin's scripts.

Smart contracts have existed for a LONG time. VIDEO

Bitcoin script language allows smart contracts (a or excerpt from b), for example nLockTime or multisigs, but limited in capacity for security reasons. We call them turing incomplete. BTC projects generally do not market smart contracts.

Eth scripting allows even more flexibility. However it markets often as turing complete, but, due to gas limits, actually turing incomplete as confirmed by Vitalik. Still, close enough on flexibility at the cost of security (e.g. DoS attacks eth was attacked succesfully with). Eth markets smart contracts all the time and thus we expect that term to be used for flexible smart contracts.

Waves markets using the term "smart contracts" confusing people into thinking they will be flexible, while simply improves on Bitcoin's scripting similar to how MAST will improve it on BTC.

Advertising regular scripting like some computer science advancement is misleading. Have to wonder how they think Bitshares multisigs, market pegs, oracles, prediction markets, margin trading work that makes theirs so special. (I realize I'm using the term here as well, but it's never been advertised officially, especially after eth afaik)

This specific item is more frequently used by shills than actual company - worth the mention.

5. Final message

Cryptocurrency space has a lot of faked news, nonsense claims made about other coins, done for possibly financial or malicious reasons. So many have began dismissing valid concerns as fake creating a strange world where all news must be positive or it's labeled "FUD" and dismissed. Peer review, the basis of the scientific method and best known way to establish accuracy, is being largely dismissed in cryptocurrencies.

None of the letters in "F.U.D." (Fear Uncertainty Doubt) mean "Inaccurate".

Waves issues are real.

Centralization, security, false marketing, tech slander are a real problem.

Note: I have WAVES since ICO and BTS and HEAT and UNITY and BLOCK and many DEX based coins - These issues are WAVES specific. I'm literally only holding Waves for profit because I think they might do so much marketing that anyone crying about issues won't be heard.

Also the auditor thought the issues he found were not significant and even bought some. He also bought Zcash with a known backdoor and some projects on politically centralized eth, so clearly trustless secure blockchains are not his priority.

They can also fix all issues in future, so fact check this post since it might be out of date. Feel free to correct me in comments.

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  trending
  ·  5 months ago

Great article! I have no clue why anyone would consider waves when there's an existing proven platform in BitShares which is clearly what Waves poorly attempting to mimic!

  ·  5 months ago

I don't know how they can get away with saying that they are decentralized if they have centralized order matching. :)

  ·  5 months ago

Excellent read!

  ·  5 months ago

Congratulations @eosfan, this post is the tenth most rewarded post (based on pending payouts) in the last 12 hours written by a Newbie account holder (accounts that hold between 0.01 and 0.1 Mega Vests). The total number of posts by newbie account holders during this period was 1211 and the total pending payments to posts in this category was $593.49. To see the full list of highest paid posts across all accounts categories, click here.

If you do not wish to receive these messages in future, please reply stop to this comment.

  ·  5 months ago

Excellent summary.

  ·  last month

Sure, spending your life savings on WAVES might have been the best thing you’ve EVER done…
But you made the bought WAVES, you did it with one thing in mind… SHOOTING FOR THE MOON.
WAVES has that 10X factor, which you will have too when you wear this shirt in public. You will get the attention of others HODLing WAVES, and their girlfriends.
This comfy 100% cotton shirt can be shipped out in a few days.
Check it now - https://shirtspice.com/collections/cryptocurrency-t-shirts/products/waves-boom-to-the-moon-shirt

  ·  28 days ago

Great article! I'm not sure if I would consider waves since ETH have a much stronger platform. Maybe just because waves are cheap and anyone can create a value less token ..