EIP-4736: Consensus Layer Withdrawal Protection

I have some potentially valuable info on the history of these types of EIPs. I also have some thoughts on EIP-4736 specifically.

Many people would site EIP-999, the EIP that set out to recover stuck funds from the 2nd Parity multi-sig wallet failure, as an example of why there should not be recovery or various social fund recovery mechanisms for lost or stolen tokens. There is actually an older, more complicated, example of this idea.

EIP-867: Standardized Ethereum Recovery Proposals (February 2018) set out to develop a standardized format for different fund recovery requests. The EIP notes in the Simple Summary Section: " This EIP does not advocate for or against the acceptance of any particular recovery proposals, nor would its acceptance alone result in any state changes to the blockchain." There was discussion for this EIP on GitHub and EthMagicians. It basically didn’t go anywhere because it some people said that they didn’t want to set a recovery standard without the mechanisms in place, and proper buy in, to execute the recovery proposals submitted. An idea that was tossed around was having a counsel of trusted community members decide which ERPs should be honored. There was even discussion of who should be on the council and many people who were qualified were not interested due to the time sink and risk it would likely involve.

EIP-4736 has a noble goal, just like EIP-867. It sucks to have funds lost or stolen, especially when it involves validators because that generally means you lost a considerable sum of money, 32 ETH. There needs to be more empathy in the ecosystem around this in the form of brainstorming ways to prevent mistakes from happening. This does not mean that a recovery mechanism built into the Ethereum protocol or layers around the protocol are the answer. EIP-867 did have one category of ERP that was interesting to many. It said that if the lost coins could be computationally proved to be lost and belong to the user that would be applicable.

In December 2015, there was a bug in ethereumjs-utils (now web3.js I believe) where when an address was being generated, the wrong address could be derived from a private key. See this forum post and this Reddit post. This is something that could have been (and still could be) accomplished by proving you had the misderived key. Now that time has passed, it would be harder to get this type of recovery accomplished, but it still provides an example of where recovery is somewhat warranted in my opinion.

Ethereum strives to be both immutable and as unbiased as possible at the protocol layer when it comes to dapps and token allocations. If the worst dictator in the world has millions of ETH (and it is not affecting the health of the protocol) they should not be taken away from them because 95% of the world hates them or thinks they are evil. The exception to this is The DAO recovery, but time has shown this was a one time event that did not set a precedent. It was (arguably) necessary for a blockchain that was so young to make that choice for the good of the ecosystem, but now Ethereum is mature enough to steadfastly reject interventions at the protocol layer like that.

That is not to say 4736 is that entirely. It says that a lot of what it describes would need to be decided on by CL clients to implement. The issue is that for the specification to not get convoluted and introduce more complexity (which increases the chance of vulnerabilities) this EIP would need wide buy in from the community and core devs. I do not see that buy in currently and don’t anticipate it happening.

My top specific issues with the EIP are this:

  1. It is unclear how many people would be affected by stolen or lost validator keys/staked ETH. I have seen people supporting EIP-4736 saying it is numerous people, but have never seen released estimates by anyone. If there is no way to even get rough estimates it comes into question if this EIP is worth the dev time, debate that will distract the community, and complicating the Ethereum spec.

  2. The proposal seems to have a lot of things users have to to recover their funds. Are there UI mockups of what a webpage for recovery steps or clickable links to recover funds would look like?

  3. Kleros court is not a good choice for arbitration of protocol layer issues. There are many reasons for this, and most of them do not have to do with how good/bad/effective Kleros court is in general (although I have heard bad things that are unresolved about favoritism and lack of transparency). The issues are:

a. If your EIP is implemented, a bad actor could effectively, and cheaply DDoS both Kleros court and the withdrawal protection system. The mock ups say Kleros court will make a decision in 7 days, but I doubt they will be able to handle tens of thousands of requests. If you do not believe it will be, at minimum, tens of thousands of requests, then the issue of lost/stolen funds in general for stakers is a very very small fraction of the total stakers.

b. Kleros has a token related to their system which would potentially put protocol developers and orgs in trouble by effectively integrating an org with a token who still has legal entities (isn’t fully decentralized). The regulatory challenges would be vast.

I am a big proponent of the belief that on-chain governance (like Polkadot) is ineffective and results in oligarchies. I am not sure the same would happen with Kleros, but there would be ample incentives to act maliciously as a Kleros juror or others involved in the system.

Ethereum’s protocol and software that builds directly on top of and influences the protocol need to remain as neutral as possible to allow the most freedom of dapps and security/trust by the community. EIP-4736 has good intentions, but is unfortunately not something I can see happening.

1 Like