Remove and Secure the Stablecoin Terra Market Swap

eduardo_robles · October 1, 2022, 9:06pm

Apoyo la propuesta!!

Joe_Smith · October 1, 2022, 10:17pm

Another model proposal @ek826 !

Proper governance of discussion before draft
Simple solutions that remove complexity
Cleanup of legacy vulnerabilities
Pisses the IBC complex repeg let’s exploit-it-all crowd off.

100% Supported!

RedlineDrifter · October 1, 2022, 10:56pm

Hey Ed appreciate all the hard work your doing and in general believe you are working in the right direction but I’m strongly against this proposal. The stablecoin swap was/is one of the key features of the LUNC network. The issue is with the feeds that the oracle receives not the oracle itself if I’m not mistaken. So should we not fix this issue rather than tearing the whole thing down and replacing it with nothing of benefit.

While this proposal makes 4lex_4sh4w’s proposal much easier to carry out (which I’m now against as this issue highlighted for me how it cannot work with multiple stables) it does so at the expense of the best utility/feature LUNC has to offer. If the proposal is for a temporary 100% Tobin Tax until the oracle feed issue is sorted. That would be something we could get behind.

But again I think removing the swap on anything other than a temporary basis will be detrimental to the future of the LUNC network.

Moiz_Bokhari · October 1, 2022, 11:34pm

I see you’re going on with the roadmap you uploaded on Terra Rebels’ site. Keep it up and I say this after thoroughly studying this proposal. Hope to see Rebel Station & Rebel Wallet as well.

ek826 · October 2, 2022, 1:39am

thanks Redline,
For sure the swap is the unique feature and something that we would definitely want to bring back. The issue is that the oracle does not have strict enough capital controls and we do not feel comfortable with it running in its current state. It is both the feed is not secure, and also running sha-1, which is cryptographically broken (The end of SHA-1 on the Public Web - Mozilla Security Blog).

tqt1970 · October 2, 2022, 2:14am

I’m for sure support this Ed

aeuser999 · October 2, 2022, 9:04am

Hi @ek826 ,

Am I right though in thinking the SHA-1 issue is with the oracle feeder and not the oracle price-server?

This appears like it might be for the local server keystore rather than a TLS certificate issue. If so, I agree that is still a vulnerability surface for the data on the physical disk, however there are mitigations such as making sure correct storage rights to the file are limited access, and potentially manually encrypting after update-key and unencrypt before oracle process start for the feeder (using an appropriate cipher with appropriate message digest) and remove file after the oracle processes start successfully.
- (terra-rebels): https://github.com/terra-rebels/oracle-feeder/commit/0745b843581f5558923280b5c461bcf852c42665
- Since this is where the function encrypt() appears to get called:
  - (for terra-money): https://github.com/terra-money/oracle-feeder/blob/main/feeder/src/keystore.ts#L72
  - OR (for terra-rebels): https://github.com/terra-rebels/oracle-feeder/blob/main/feeder/src/keystore.ts#L73
If for some reason I am missing something though and it is an SHA-1 with TLS certificate, then this would make a difference since as long as the validator is using a localhost https://localhost:8532/latest for the price server, and a localhost for LCD, then this should mitigate this (at least until an appropriate fix). I do realize that some of the validators (maybe most) may choose a backup source for LCD beyond the localhost (so that could be an issue - although those with redundant systems that have a separate local LCD could use that server acting as a backup LCD over a secure tunnel).
It would still be using the same SHA-1 (either for keystore encryption, or if it is a certificate issue, then for certificates) for the oracle feeder for feeding of LUNA external pricing. It seems like even though the LUNA <> TERRA swaps are not active currently for market swaps that it could still have the same vulnerabilities if bad data were fed regarding internal valuation of LUNA<>SDR and SDR<>OTHER-TERRA for system valuation (particularly staking)?

Again, I am just going on a cursory look since I am struggling time wise right now (and not giving this the appropriate level of review, and going from memory - so I do acknowledge I may be missing something and/or may be incorrect). I agree on the security issue regarding SHA-1’s vulnerabilities. The issue really is that even with the stables swaps turned off using either tobin tax at 100%, or removal of Terra pairs from the oracle whitelist, the validators will still be using the same oracle feeder with SHA-1 (either for keystore encryption, or if it is a certificate issue, then for certificates) for LUNA external data (as well as for the TERRA pairs if the 100% option happens). I have concerns how it may affect SDR as to internal valuations - particularly:

how the 100% tobin tax on that particular denom may affect things internally (if at all - which it appears from what you have mentioned, and in testing so far, it appears it may not); and
if the remove whitelist denoms happens (instead of the 100% tobin tax) it may mean there would be no external pricing for SDR (which is used for much of the internal valuation).

If the oracle is turned off all the way, then the validators will get penalized - so at lest in its current implementation the oracle still has to be feeding the prices using SHA-1 (either for the keystore local encryption or with a certificate if it is a certificate issue).

It just seems like there are appropriate mitigations that should be applied anyhow, given that it would still use oracle pricing for some internal valuations, until an appropriate fix with the oracle feeder is able to happen (these above as potential for the SHA-1 issue, along with the potential recommendations regarding varied data source priority for the oracle price server). While I can agree that either the 100% Tobin tax or the removal of the oracle whitelist would prevent TERRA<>TERRA swaps in most situations (it appears all situations for the removal of the whitelist), there is still a valuation aspect to the LUNA<>SDR/SDT and SDR/SDT<>OTHER-TERRA (particularly USD/UST) where the oracle would still be used (with the SHA-1 vulnerability).

Thank you so much for your consideration, and with appreciation

SmartChainStack · October 2, 2022, 12:16pm

Great article and the reasoning supporting the proposal is valid. I am in favour of the 100% Tobin tax option.

fragwuerdig · October 2, 2022, 12:24pm

I don’t know.

The purpose of these coins was to remove currency risk from the holders. If you are not in the US then your local currency is traded against the US dollar.

This means that USTC is not a stablecoin from your local perspective. If the whitelisted denoms are removed, then you are removing access to Terras stablecoin feature for the rest of the world that support the TerraRebels movement.

Is this fair?

GrinSpickett · October 2, 2022, 2:50pm

Good question

Right now there is an option to auto swap rewards to lunc when claiming. They’re a small part of rewards, but they’re part of rewards.

Othman_CHENNA · October 2, 2022, 6:30pm

If this will help repeg ustc : yes.
what is the proposal id ?

Restlessmonkey · October 2, 2022, 8:44pm

i never recieve that option how can i ensure to activate that?

RedlineDrifter · October 2, 2022, 10:11pm

It’s completely understandable to disable the swaps while they can be exploited. I was just concerned they’d be disabled permanently, but it sounds like we’re on the same page.

As for the capital controls, I think the basic theory behind the algorithm to control the market though - minting, burning, spread fees, and the Tobin Tax is correct. But its implementation and the equations that power it are very weak/insufficient. Looking at the maths in Terra Docs it’s clear they were a vulnerability and prioritised movement of capital over stability, but with some modification you could have a bulletproof system.

Vendrugo · October 2, 2022, 11:02pm

No exchange uses those tokens. So its usefulness is negligible. I myself want to get rid of the ones I have because I don’t see any use for them and I always have to convert them to USTC

RedlineDrifter · October 3, 2022, 12:25am

Currently that may be the case, but with the huge global push towards digital currencies and crypto. Having this base of stables is a huge asset, and would make our blockchain more globally accessible and much more enticing to build on for those selling products/services.

fragwuerdig · October 3, 2022, 5:35am

Doesn’t matter. You were always able to exchange your, say, EUT to Luna on terraswap and then sell on an exchange. I was okay with bearing that risk in that short period of time. And the fact that your staking rewards consist of these tokens shows clearly, that they are being used as store of value.

painkiller · October 3, 2022, 7:50am

Yep…and if the proposal get approved…the swap feeds to this coins should be 0

Ozi_Tz · October 3, 2022, 8:49am

I support this proposal!

Incognito_Trader · October 4, 2022, 10:12am

Hello. I wrote and translated me proposal from other language so there may be mistakes

and Also I cannot understand how to post on Agora because I am new registered that’s why I post it here

We all know that the LUNC blockchain was a blockchain of stablecoins, the main one of which is UST. And that was his peculiarity. Therefore, the community should preserve this feature and this functionality. This means to revive and restore the binding of UST and other stablecoins to their fiat counterparts. Without this, the Lunc blockchain will lose its peculiarity. Also , we should not mint new analogues like USTN , this will undermine the credibility of the blockchain . We need to show future investors and developers that we can recover.

The first thing to be done is to RESTORE the binding USTC=1$

How to do it?

At the moment, I often see posts on Twitter addressed to CZ Binance. Unfortunately, the community wants someone to solve their problems. I propose such a solution. It is up to the community to do this. How?

It is necessary to restore the work of the blockchain in the form it worked before the crash and, PLUS, add here the function of maintaining the USTC rate not by minting new LUNCS, but by withdrawing them from the remuneration of miners.

I’ll give you an example. Approximate calculations if the idea is interesting, let the mathematicians do the calculations.

Let’s assume the rate of 1 USTC = 0.9 $, taking 10% of the reward from the miners

1 USTC = 0.8 $ taking 20% of the reward from the miners and so on until full recovery.

— miners are not happy (but they will earn on the growth of the exchange rate and also when the binding is restored 1 USTC = 1 $ everything will be as usual

— – We will get rid of the spiral of death, Restore trust in the blockchain, and it will also serve as a protective mechanism against the fall of USTC, because if everyone knows that there is such a mechanism, then people themselves will buy USTC when falling in the hope of making money on the difference knowing that there is such a protective mechanism

With best wishes Incognito trader

Ian_ch · October 4, 2022, 11:16am

I support