Pavel Kondratenkov, an expert at SmartDec, which is engaged in research in the field of security of smart contracts, spoke about what overpowered owner is and why the concentration of powers in one hand is not the best option for crypto projects.
I am an auditor of smart contracts and I do not believe in a decentralized world. Colleagues sometimes tell me that an overpowered owner (a situation in which the contract owner has too much authority) is a problem. In such cases, I start arguing with them. At the same time, I myself note an overpowered owner during an audit as a rather important mistake. So is there a contradiction here? I hope this article will help to see what is happening on the other side.
An overpowered owner is a project design in which there are one or more owners who can manually invoke critical system functions.
According to our internal statistics, the overpowered owner is found in 37% of Ethereum projects. So why do developers continue to develop non-trustless systems? Because this system design solves a number of problems.
Smart contracts are unchanged. This means that when they are posted on the Web, the code cannot be changed. Thus, one unsung vulnerability can break the entire system.
That is why some creators of smart contracts are writing features that will help reduce potential damage in the event of an attacker’s actions. For example, functions that freeze the entire system, as well as adding addresses to the black and white lists.
Sometimes owners of a smart contract leave the possibility to change certain key parameters, for example, when the logic for setting the values of these parameters is too obscure.
Imagine a situation in which the owner of a token contract can release and burn tokens. These functions can be used to manage the economy in exactly the same way as in the real world with real currencies.
Let’s be honest we’re all used to the overpowered owner. In the modern world, almost all projects in different fields, there is a person who makes responsible and important decisions. Moreover, it is hard for a developer to come up with a decentralized system in a centralized world. Some prefer not to waste time on it and do at least something as quickly as possible.
Overpowered owner is a fairly simple system pattern that is not difficult to explain to users. In the modern world, UX (user experience) is very important. And if an overpowered owner improves UX, then why not use it.
Despite all of the above benefits, an overpowered owner carries risks that cannot be underestimated. As one great man said, great responsibility comes with great force. Because this force can be used to harm.
No one guarantees that the owner will not want to use power in an unexpected way. For example, he can start stealing user funds or blackmailing them.
The user of the project with an overpowered owner must be sure that the owner is sufficiently concerned about the security of private keys. Because the loss of a private key can both cause serious harm to the project, and put an end to it altogether.
An excellent example of a similar problem is the KickICO project. Hackers gained access to the owner’s private keys and thus stole tokens worth $ 7.7 million.
The overpowered owner paradigm assumes a small number of people managing critical functionality. This means that the bus factor for such projects is relatively low. And well, if in case of the disappearance of the owner of the contract, the opportunity to reduce losses from hacker attacks is lost. Much worse when the owner was vital to the existence of the project itself.
In my opinion, there should be no overpowered owner in the projects. Of course, designing a system without it is not easy, a more complex architecture is required. But this is still a doable task. To facilitate it at least a little, I would recommend looking at the device of similar projects.
If for some reason it’s impossible to completely get rid of the overpowered owner (complex architecture, lack of time, etc.), I would recommend sharing responsibility. The principle of division of responsibility (segregation of duties) is a concept within which more than one person is required to perform a specific task. This means that more than one person is required to make critical or malicious changes to a smart contract. This can be achieved in different ways, for example, with the help of Multisignature – a system with several signatures.
In extreme cases, there is nothing wrong with doing nothing. Although the blockchain was originally conceived as a trustless system, this does not mean that every project on Ethereum should be trustless, as it has other advantages.
Overpowered owner is a certain system design with its own advantages and disadvantages. Despite its advantages, I would recommend not to use it. If this is not possible, then I advise you to adhere to the paradigm of sharing responsibility. After all, even in the modern world, there are such things as stocks, the board of directors, etc.