This discussion is aimed at exploring which Admin Privilege findings we should continue to mark as valid, vs consider "out of scope", "known risks", etc...
The discussion requires taking both sides as there seems to be no ideal, simple answer, Malicious Sponsor must be called out for their malpractice, however, Honest Sponsor don't like being told what they already know.
Context:
With end users here I mean "retail", "non technical people", people that rely on an expert for their security.
While I would recommend any person even remotely involved with Ethereum's tech to learn the basics, we cannot assume that and we know that the majority of users are "blind signers"
That said, we have historical track-record of our Reports being used to "prove" the safety of a Sponsor system.
Ultimately this is natural as C4 being 50% Crowdsourced Security and 50% being proper Formal Audit (thanks to some legends in the community).
This means that our Reports are used as marketing tool, in the right hands they are just proof of thoroughness (Project X did Audit1, Audit2 and even did C4 to iron itself out)
In the wrong hands, they are a tool to get a quick list of issues, dispute them all and put the logo of C4 on their website.
Historical Precedents
Since day 1, we've had some findings over time we ended up calling "Admin Privilege".
Admin Privilege findings are specific attacks that a Privileged Role can apply to the system in scope.
Because of their nature, they are controversial (if not outright insulting to the Sponsor), however most sponsors (including myself) recognize them as valid as in they are technically risks that the end user has to accept if using the system.
Also, while extremely easy to downplay, our space has seen these "basic mistakes" happen countless times:
- Project leaks their PK
- Project get's rugged
- Project is hacked
And ultimately because of the anon-friendly nature of the space, it's impossible to discern between an Incompetent Project (Leaks the key because of bad Opsec), or a Malicious Project (steals the funds and claims the keys were compromised).
There is ultimately no way of knowing.
The solution to the above is not a "more trust", or "more due diligence" type deal, as again we are not in a position to know if the Admin did it on purpose.
The only solution to the above is to always flag those reports as valid risks that end-users face if interacting with the contract.
This has been consistently practiced for a long time at CodeArena, and perhaps due to market demands is not being put to question.
The discussions goal is to determine whether it's correct to flag Admin Privilege type findings, and what is the limit of absurdity as well as how these types of reports can be gamed.
While there have been oscillation in judging, I think a very strong argument can be made for Admin Privilege type findings to always fall in a Medium Severity.
See gist for 2021:
https://gist.github.com/GalloDaSballo/881e7a45ac14481519fb88f34fdb8837
First Principles Questions, First Principle Conclusions
If we agree on the above, then the next logical question is what C4 is, or what we want it to be.
Do we want C4 to be a technical only type firm? Or do we want to keep the user facing nature of the Project?
If we keep it public, knowing the above, we have to agree that Admin Privilege has to be flagged.
Not flagging Admin Privilege allows malicious projects to create fake projects and just rug via Admin Privilege, while using C4 as a quick "We were audited bro" scapegoat tool.
Risk of Abuse, where do we draw the line?
A few specific instances are linked below, with the goal of sparking a discussion that can help us figure out how to best deal with these type of reports in the future:
[REDACTED CURRENT CONTEST FINDING]
Zora Nouns Builder, Vetoer, lack of Vetoer and Bribing
These three reports show the circular logic that we may have whenever we deal with Governance System as well as Admin Privilege.
I have judged these, and you should read the comments in depth to understand my point of view.
Anyhow, I don't mind disputing these as lower severity (e.g. Low), which I think can be argued for or against.
What I'd like to show is that if you pick any of the three as Med or Low, then you are logically bound to rate the others with the same severity.
That's because these three findings (to me), are different perspectives on the same issue:
Do we need to call this another trilemma? I think we can do without.
But I think you'll be hard pressed to argue that a Vetoer is a totally good thing, it's not, it's a compromise, same for not having a vetoer as well as any other governance attack which has been exploited in the past
Request for Feedback
Do you agree with me that those 3 findings are logically equivalent?
(Vetoer is trusted party, opens up risk, lack of vetoer is risk, bribing is a specific attack when lacking a vetoer)
Do you agree with me that because of the historical context, and the rules we have, given the logical equivalency, those 3 findings are all Med Severity?
Given the two above, do you agree with me that this situation shows "a glitch in the matrix" as due to logical equivalence, circular logic is made valid as it would otherwise create favourites?
What do you think we should do?
- Acknowledge and continue consistently with the convention
I'm thinking that explicitly acknowledging the contraddiction, out of an interest to transparency to end-users is probably the best first step, meaning we will keep flagging these reports, fully knowing that sponsor will disagree in the majority of the cases.
- Acknowledge and create a new category, Admin Privilege
This is equivalent to the above and creates more work for the Judges, but should reduce attrition with the sponsor, Sponsor feedback should be sought to better understand this option
- Find the line of absurdity
Let's further discuss about the line of Admin Privilege vs logical absurdity through nuanced, evidence based discussion.