Freeze stfil user’s transferred asset address

[justinjuarez3518]

FIP: #990

Currently, more than 4.5 million FIL of Stfil user assets have been transferred to “unknown addresses” - https://filfox.info/en/address/f410falck3ysg7e2k4outtq2r24ytd66cuddydnoga6a, which most likely belong to the police.

According to "customary practice" these assets will soon be sold off in the secondary market, and all investors and community members should pay attention and take action.

I propose that FF and PL should make freezing this account and formally consider how to implement it and take action!

[jennijuju]

I have been closely following what’s going on with stfil protocol in the past couple days and have been quite evolved in a couple (now) community self-organized effort in response of what’s happening, so I have decent context on (1) what happened that’s shown as fact on chain, i.e smart contract activities; (2) what may or may not happened off chain, I.e: what allegedly caused protocol changes in stfil pool. I also have a lot of sympathy for the impacted teams and users, and have been working with community teams to support some impacted individuals.

The following might be controversial: I personally do not think this is a good idea. The token movement was triggered by a series of signed transactions & user contract logics, it doesn’t seem to be caused by bugs in the l1 protocol or bugs in smart contract (disclaimer: I’m not suggesting l1 protocol should shift and react to smart contract bugs or not) . It will be a bad precedent to introduce censorship of FIL movement in blockchain protocol (that’s outside of the filecoin token econ protocol).

Also, driving fip consensus, deploying protocol changes and network upgrades takes time. Fwiw I think it might be possible (hopefully) for the community to do an emergency upgrade for resolving some critical network consensus/security issues that severely impact network stableness and security - I don’t think this is one of those issues. There is also much unknowns to what’s effective to what the proposer want - the funds might move again to a different address during anytime from now before an upgrade, what do we do in that case?

I’d like to keep brainstorming / establishing supports that could help impacted users, but I personally don’t think this proposal will be one of them.

[ansermino]

I very much support @jennijuju's perspective here. This is not a situation where protocol-level censorship can be reasonably justified. (There aren't many....)

Allowing a protocol-level resolution would set a bad precedent that would ultimately degrade the guarantees offered by the protocol. A FIP like this might make more sense in a context where the guarantees of the protocol are inadvertently violated, but even this would need to be approached with extreme skepticism.

In my view, both the stFIL miners and token holders should be aware of the risks of engaging with a such a novel application. This is an unfortunately reality of our industry, and the STFIL team did take reasonable measures to communicate this to prospective token holders and miners. Measures to counter the effects of these recent events are valid and in the best interest of the ecosystem, but need to come through other means.

[anorth]

(I deleted a reply here that is duplicated as a top-level comment below)

[CodingJzy]

Not many in quantity? Do you have a conscience when you say this? How many Chinese fans have earned this hard-earned money?

[CodingJzy]

There is an ancient Chinese saying that whoever wins the hearts of the people wins the world。
How great is your protocol layer? What happened to the protocol layer? What would happen if the protocol layer was changed? You didn't make any changes. The coin price of FIL is so low that no one is optimistic about it. If you make any changes, you can make them. It's even better to reset to zero

[CodingJzy]

I am a loyal fan of Filecoin and one of the victims. I have the following thoughts, which may seem naive

1. Filecoin has teamed up with major exchanges to blacklist and freeze the address, prohibiting the account from recharging and monetizing. We cannot appeal, but the official appeal should be stronger, after all, this amount of money is converted into nearly 100 million yuan.
2. Ethereum has also made a strong fork, and as L1, Filecoin should be able to do something and must do something. I am not very familiar with technology and would like to ask if it is possible to roll back all transactions until the STFIL contract is updated or the transfer is made to that address. Is this costly, and how would normal transactions and blocks be handled during this period.
3. Protocol laboratories or foundations, such as charity, will distribute some of your locked coins to those with STFIL balances, and then destroy all STFILs. Although you may not be willing, on the contrary, this action will undoubtedly be FIL's biggest shot in the arm.

[Stebalien]

As a core dev, I agree with @jennijuju's take on this: I have sympathy but intervening would set a bad precedent. Furthermore, such an intervention is unlikely to gain wide community/SP acceptance due to concerns about setting such a precedent. At the end of the day, the L1 protocol is working as correctly.

I'd also like to highlight how this differs from Ethereum's "DAO Hack": The DAO Hack took advantage of a poorly understood edge-case in the EVM, arguably a bug. The Ethereum core devs intervened because the protocol itself was, arguably, at fault.

In the STFIL case, the STFIL contract, multisigs, etc. all worked correctly, they just weren't secure against rubber-hose cryptonalysis. The only protection against such an attack is decentralization: you can't reveal keys you don't have.

[Stebalien]

To be clear, PL/FF has no power or authority to do anything without community consensus; we've seen many less controversial FIPs fail for this reason in the past. Any action here means a hard fork, requiring consensus between the SPs, core devs, and token holders. I doubt that'll happen.

[CodingJzy]

You are just thinking from the perspective of developers, but have you ever reflected on why the FIL coin price is so low? If it comes to technology, have you solved the pain points of FIL? What is the ecosystem of a few years of FVM development, and how high is the TPS of FVM? If you start an IPC and procrastinate every day, have you solved it? Your technology is not good, and you still want to talk to us about technology and consensus. The biggest consensus in the cryptocurrency circle is capital. If you have money, you are Dogecoin and Pepecoin. If you don't have money, even if you have good technology, it's garbage. Moreover, your technology is not very good. It's not me targeting you, such as the Poka project and the near project. The technology is also good, but the ecosystem is crossing, and if you talk about technology, you lose,

[15012700225]

FIL+ can be implemented without a vote, I don't know what else can't be done?

[AnomalRoil]

Note that if the argument not to intervene is "the amounts and number of users impacted are to small to justify it" or "the stFIL situation is not a protocol-level issue, but a community one and code is law", then a whale (such as PL or FF) could also propose to take upon themselves the "burden of the incertitude" with the stFIL situation by proposing a smart contract that exchange stFIL for FIL, allowing the stFIL userbase to recover FIL in exchange for their stFIL. Effectively solving the issue without requiring a FIP.
Saying PL/FF has no power to help is therefore not true. Any whale could help if they wanted.

If the stFIL situation is not a "hack" or a "rug pull", this would mean the said whale would be able to swap the stFIL they would accumulate back to FIL once the stFIL smart contract is "fixed". Or is the stFIL smart contract too broken atm to allow for stFIL transfers? That doesn't seem to be the case afaik.

Knowing that as per #943 more than half of the circulating supply of FIL has been vested in favor of FF and PL, 5M FIL seems like not much "stake" for them, unlike for the users who might have trusted stFIL because of how official accounts, employees and related projects seemed to promote or support stFIL and collaborated with them.

Furthermore, saying this should not be solved at the L1 level is an opinion, but if the majority of the community does want to solve it at the L1 level, then so shall it be lest it leads to a hard fork anyway. (Whether that's what the community wants or not is unclear at best to me at the moment, all I can see is that the core-devs are advising against doing so while some users are asking for it.)
What is making a fork less likely to happen in this case, I guess, is that it appears SPs are relatively unimpacted by the issue, since it doesn't lead to a loss of funds to them, but only to the users who lent the said SPs their funds in the first place and are now unable to swap their stFIL for FIL.

[vladimirhf]

Agree. I think FF should take on this responsibility, as they promoted the stfil and made it believe that it was one of the safest, without raising any suspicion about the activities of its members. FF could exchange the stfil tokens from holders and try to recover the lost filecoins in court. It's not much for the foundation, but it's a lot for small investors.

[Arthurfero]

I agree with vladimir. FF should take on this responsibility, as they promoted the stfil and made it believe that it was one of the safest, without raising any suspicion about the activities of its members. FF could exchange the stfil tokens from holders and try to recover the lost filecoins in court. It's not much for the foundation, but it's a lot for small investors.

[dannyob]

So it’s not entirely relevant to the FIP discussion here, but I want to gently push back against this idea that the Filecoin Foundation promoted STFIL to any special degree except as one of many projects in the ecosystem as a whole, or made any claims about the quality of its services.

First— though I imagine obvious to most of the folks here — the Filecoin ecosystem isn’t run by the Filecoin Foundation. FF has a few limited functions that any open source software foundation (like, say, the Linux or Apache Foundations) performs for its ecosystem participants. They include managing governance, some dev and other grants, legal and policy work, and running some of the events and comms channels that promote the network as a whole.

As part of that advocacy of the network, we’re frequently point out many different builders, but never with the intention of promoting one service over another, or trying to endorse one or the other as the “officially approved” product.

On the contrary, we try hard to be even-handed toward all our builders. Our aim is convey the diversity of the system, not pick winners or act as advocates for any particular service.

We may disagree, but I went through your examples, and I don’t believe I see any that I think a reasonable person would read as anything except a mention of STFIL as part of general promotion of the many projects in the ecosystem — including the ones that did not come from the Foundation at all.

To be specific:

Example 1: Lists the STFIL twitter account, but only five tweets down in a thread talking about “800+” projects, along with four other competing leasing services.
Example 2: This is from Ansa Research, not FF (they run the Filecoin twitter account, FF is at @filfoundation). They just describe the product, and encourage you to “learn more about STFIL and the team behind it”.
Example 3: This is from Ashwanth, a PL employee with just 362 twitter followers (sorry Ashwanth). Again, even in this personal Twitter account, Ashwanth mentions his followers they should “check out” STFIL, along with alternatives like GLIF, SFTProtocol, CollectifDao “and more”. It’s clearly an attempt to convey the breadth of services on the network, not highlight or recommend a particular tool.
Example 4: Again, this is from Ansa: again, it’s a leaderboard of the leasing services, not singular advocacy of STFIL.
Example 5: Okay, this Ansa tweet is the first one to exclusively mention STFIL. It also ends with the text: “This information is for informational purposes only and is not intended to constitute investment, financial, legal, or other advice. This information is not an endorsement, offer, or recommendation to use any particular service, product, or application.”
Example 6: This is from the Foundation, but it’s a single entry from the FF Ecosystem Explorer, which again aims to be a showcase of all the projects on the Filecoin network. (It notes that it isn’t exhaustive, but only because it’s so hard to track everything.)
Example 7 This was a recording of a talk that STFIL gave at EthDenver: they applied to speak. FF gave them one of the many slots at our booth, as we did with many other projects. Again, the point of the booth was to provide a venue to showcase any and all projects.

This is pretty much par for the course. STFIL also sponsored an event FF ran in Las Vegas, unless I may have missed something, all of FF’s mentions there highlit their status as a sponsor, rather than their product. They spoke at Fil Dev Summit, an event that FF did not run but did sponsor, etc.

If you revisit any of these Twitter or Youtube accounts, you will also note that these mentions — whether it’s by FF, Ansa, or individuals who care about Filecoin — are part of a constant stream of call outs to hundreds of our ecosystem projects: the aim of which, again, is primarily to convey just how wide and vibrant the whole Filecoin platform is. Again, I may have missed something (and I asked our comms team to send me everything FF has ever said about STFIL, plus as much as they could find from other prominent figures who talk about Filecoin, including Ansa and PL), but I haven’t seen anything that I would reasonably imagine would lead someone to decide, solely on the basis of that mention alone, to become an STFIL customer.

Okay. That was a lot, and somewhat of a side quest compared to the FIP proposal. I really don’t intend to diminish the pain and loss that many customers of STFIL are feeling, and we at FF along with others are continuing to do what we can to help everyone affected. I just wanted to make clarify that FF did not make the heavy promotions that this post and others might imply.

(If anyone wants to get into a further discussion about this, it may be better to continue it on the stfil.info site where a similar discussion is taking place, rather than distract from the technical proposal here. If you want to hear updates on what we and others in the ecosystem are doing to help, I update as often as I can in the #stfil-response channel on the Filecoin Slack, which you can join here.)

[jsoares]

Based on public information, it appears that the funds were seized by law enforcement as part of a judicial inquiry into potential financial crimes. This is not the DAO hack, and I'm not aware of any evidence of foul play.

While the STFIL team should be considered innocent until proven guilty (and I have no reason to believe that they are guilty), the proper response to a judicial seizure of funds is to seek remedy within the legal system. Weaponizing the L1 against the police is generally a bad idea and could expose other network participants to criminal liability. I am strongly against the proposal: code is code and law is law.

A proposal to reimburse the affected lenders using other funds (e.g. from the mining reserve) would likely not carry the same risks and would be more palatable. Nonetheless, I likely would not support such a proposal: STFIL users were paid a premium for the risk they took, unlike the uninvolved network participants who would be diluted to make them whole.

[vladimirhf]

So it's not censorship resistant: Governments can rewrite the code and confiscate assets just because they can. Code is code and law is law. Even if stfil members are guilty of something, the assets don't belong to them.

I know it was not on L1, but staking is an important part of the ecosystem that cannot be neglected.

[jsoares]

Quite the contrary: L1 censorship is precisely what the OP proposes, i.e., limiting the ability of an account to transact. I'm arguing we shouldn't go there or set that precedent. Even if you support it in this particular case, keep in mind that the precedent goes both ways.

[vladimirhf]

Who are the bad actors? What is the purpose of a blockchain?

I don't know what kind of threat makes someone hand over their private keys.

This also could set a precedent for layer 1 to be affected one day, if a government decides.

[CodingJzy]

Since the quantity is not large and there are not many users, could you please ask the foundation and protocol laboratory to take out a small part of yours? Your billions of fil, this 5 million fil is indeed a small amount for you. Are you willing to take it out? Funny,

[Derek-zd]

这种傻逼提案要是实现了，FIL 价格 估计就 0.0000000000001 U了。

[raulk]

Chiming in to concur with @jennijuju, @Stebalien, and @jsoares. I empathise with STFIL holders. I've been engaging since the beginning to help at a technical level. I'm planning to post an X thread soon, so stay tuned. However...

Neither the Filecoin/FVM platform nor the STFIL contracts themselves behaved unexpectedly. Based on what's public knowledge, a state actor appears to have launched an investigation on the STFIL team, and these funds are allegedly under some form of seizure (judicial, executive?). The agency gained access to the admin multisig via the investigation by obtaining the keys of 4/6 signers (at least). They deployed a set of contract upgrades to block withdrawals for LPs, and to presumably take possession of liquid FIL in the staking pool.

In my opinion, the Filecoin community/ecosystem should have no interest in antagonizing or interfering with an ongoing investigation; this is bad precedent to set, and dangerous for the entire community. Affected parties should organise to seek legal counsel.

Re: comparisons with the Ethereum DAO. The latter was a self-funding mechanism, so its early hack became life-threatening to Ethereum itself. Futhermore, it exploited and exposed a rough edge of the nascent protocol (reentrancy). In fact, that was the start of arguably the most recurring smart contract development advice ("guard against reentrancy"). Conversely, STFIL is one application-space lending pool out of many, and no technical gotchas were exploited that I'm aware of.

[15012700225]

After the unfortunate incident of stfile, FF has always emphasized the importance of centralization, and at the same time has been promoting the FIL+ community project with a tendency to centralize, even if there are different opinions, it will be ignored. We call on the community to use the same standards to evaluate its recommended projects. The community must be neutral and cannot have double standards. Has FF assessed that FIL+ has similar risks? If so, what is the solution?

[dannyob]

Do you mean that FF (and the Filecoin project in general) has emphasized the importance of decentralization? If so, I agree with you. And yes, I think many of the concerns people have with Fil+ is that it has a centralizing effect, or gives too much power to a few actors. Do you have any particular thoughts to what lessons could be learned from STFIL and applied to the current implementation of Fil+?

[vladimirhf]

2 simple lessons
audited smart contract means NOTHING.
miners or staking pools should never code.

[vladimirhf]

It may not have been a code problem but it is a serious conceptual flaw

[15012700225]

Decentralization + centralization = centralization. PL/FF needs to prove that it is safe and solve users' security concerns about centralization and possible unfair benefit transfer. In my opinion, FIL+ has changed the protocol and it would be inappropriate to make big changes without a vote from the community.

[YangWenen]

Although I hold great reverence for the ideals of PL and FF, which is why I hold FIL, if this matter is not properly handled, I will be completely disappointed in Filecoin. I believe the entire Chinese community feels the same way. Over the years, the Chinese community has made tremendous contributions to Filecoin. In the early days of mining, many of us investors invested in mining equipment and tokens, only to see the prices skyrocket and get stuck. However, we still believe in the grand vision of Filecoin and continue to hold on. Later, as China's policies changed and mining was banned, many miners were investigated by the police and had their assets confiscated. Although there were some bad apples among these miners, investors were almost wiped out in this purge. Afterwards, the remaining investors and miners began moving their nodes out of the country, and those who stayed were cautious to avoid police attention. After the launch of FVM, we investors seemed to see hope, as we believed in the protection of smart contracts and no longer had to worry about miners being controlled by the police or running away with the money. Unexpectedly, even smart contracts could not protect us this time, and this smart contract was a top project strongly supported by FF officials. If we cannot trust this, what can we trust? Can we only trust Bitcoin? Only trust offline wallets? I hope FF can think from the perspective of Chinese investors and consider China's special national conditions. If all efforts cannot stop the greed of the police and their inhumane handling of cases, then a hard fork may be the best option in the worst-case scenario. The spirit of decentralization is indeed important and cool, but if it is exploited by bad people, is this decentralized technology still just? There is a Chinese saying, "Things are dead, people are alive." It means that people hope to be flexible and not dogmatic when dealing with things. I am not a technician, and I don't know how to deal with it technically for the best solution. This relies on the geniuses of FF, but I hope not to completely reject the hard fork option from the beginning, at least leaving room for discussion. Finally, I want to express my respect for FF's grand goals again, but please don't leave us ordinary followers behind on the road to achieving these grand goals. You are like Moses, leading us out of Egypt. Please lead us all the way to Canaan and don't abandon us in the wilderness.

[baseonejj]

This requires changing the code so that all miners can upgrade and agree.