Original author: Archipelago Network
What is an admin key?
Admin key is the administrator key. You can think of it as a master key that can open the backdoors of all game machines in an amusement park and take away all coins. The administrator key can access and control any account in the entire system. The administrator key enables a specific entity (individual, company, DAO organization, etc.) to have management rights over the entire system, including control over accounts, permissions, data, etc.
Imagine that when you go to a bank to open an account, you accidentally read in the fine print hidden in the terms and conditions that "the bank reserves the right to change your account balance at any time". Perhaps at that moment you will be shocked and scared, because the bank can freeze your account at any time. In the most extreme case, if the bank goes bankrupt, personal funds cannot be retrieved. Admin key is a term that any developer is very familiar with. These control keys with full access rights allow developers to modify or replace anything in the smart contract that supports their project, and even adjust user balances.
Let’s take a look at what a simple representation of an Admin Key code might look like. Admin keys are typically used to perform critical operations such as updating contract code, adjusting contract parameters, pausing contracts, setting up new administrators, etc.
pragma solidity ^0.8.0;contract AdminContract {address public admin;bool public isPaused;constructor() {admin = msg.sender;isPaused = false;}modifier onlyAdmin() {require(msg.sender == admin, "Only the admin can perform this action");_;}modifier whenNotPaused() {require(!isPaused, "Contract is paused");_;}function updateAdmin(address newAdmin) public onlyAdmin {admin = newAdmin;}}
Vitalik revealed that both L2 and Rollup have backdoors!
A recent hot discussion on Twitter is about Vitalik Buterin saying that both L2 and rollup on Ethereum have a backdoor for protocol developers to intervene and make changes when needed. However, Cardano OG Chris O disagrees, arguing that the Ethereum network is not as immutable, permissionless or censorship-resistant as widely claimed.
In fact, this is not recent news at all! Instead, Vitalik talked about this topic in an interview with Balaji in the first podcast The Network State Podcast on February 7, 2023, six months ago. The original words in the video are as follows:
“And the other thing that I've talked to the rollup teams that they all want to do next year is they want to start taking offtraining wheels, right?So the roll ups and layer twos that exist on Ethereum today, they basically all have what I call training wheels, like some kind of backdoor that lets developers come in and say, stop and change the protocol if they see that some kind of bug has happened.”
“Another thing that I discussed with the rollup team is that they all want to do next year, they want to start taking off the training wheels, right? So the rollups and layer twos that exist on Ethereum today, they all basically have what I call training wheels, like some kind of backdoor for developers to come in and say, if they see some kind of bug happening, stop and change the protocol.”
“Training Wheel” refers to the training wheels that children use to learn to walk. It is used in Ethereum’s Rollup and Layer 2 metaphors. In Vitalik’s view, the current Layer 2 expansion solutions are not mature enough and cannot achieve complete decentralization and independence. They basically have auxiliary control measures and disaster recovery mechanisms so that developers can still modify the deployed protocols in case of errors. In most cases, this “training wheel” is actually the administrator key.
In the world of cryptocurrency, you can clearly find similar user terms of use in all centralized exchanges. The moment you register an account, you agree to the CEX's access and custody rights to your assets. For example, in the Binance Terms of Use, "Binance can but is not obligated to manage and control the affected funds and your Binance account."
Recalling a series of thunderstorms in 2022, Luna thunderstorm in May, Three Arrows Capital thunderstorm in June, FTX thunderstorm in November, and Genesis thunderstorm in December. Genesis was the best-managed and largest centralized crypto lending company at the time. It relied on this reputation to obtain funds at attractive borrowing costs, but why did it finally burst? FTX, the second largest exchange in the circle at the time, was finally bankrupted by the run. Is this why all centralized exchanges are theoretically unsafe? If we just assume it according to logical reasoning, in fact, any centralized exchange will have the risk of collapse. For those who trade large funds, they will gradually move to DEX based on ZK Roll up and open order books in the future. No permission, no KYC, trust, isn’t this what crypto natives have always pursued? In the past, we turned a blind eye to security for convenience, but now we may need to rethink it.
The risk of government regulation is also a wide open question for “centralized” projects with admin keys. Regulators can take down and control a project with admin keys at any time. DeFi projects with centralized “custodial” control over users and their funds are under pressure, especially in legislation. If regulators can find a centralized party or group of people, they can seize on that.
Case
The significance of DEX is often only realized in the most extreme cases. Let's review the collapse disasters caused by centralized management methods or pseudo-decentralized protocols in history. Mt. Gox, a well-known Japanese exchange, collapsed in 2014 after hackers stole $500 million in cryptocurrency. In 2018, digital tokens worth about $530 million were stolen from the Tokyo platform Coincheck. The former is almost always because hackers used stolen private keys (passwords required to access cryptocurrency funds) to steal funds. Another recent case is that Multichain CEO Zhao Jun was arrested. Not only does it not rely on multi-signature wallets controlled by a few people, but what's worse is that they don't even seem to have multi-signatures, and the private keys are in his hands alone. Multichain was formerly Anyswap. According to public information, Anyswap was founded in July 2020 and was originally positioned as a cross-chain DEX. On May 21, 2023, Multichain CEO Zhao Jun was taken away from his home by Chinese police. It was later discovered that these MPC node servers, like other ordinary servers, were actually running under Zhao Jun's personal cloud server account. No member of the team had access to Zhao Jun's personal cloud server account, so no one could log in to these MPC servers. All of Zhao Jun's computers, mobile phones, hardware wallets, and mnemonics were confiscated by the authorities. So when a self-proclaimed DEX even allows a centralized system access right to exist, it is full of irony. Once faced with strong government supervision and strong censorship, the project can be shut down at any time and the assets can be directly confiscated.
No-Admin key What does No-Admin key mean?
This means that all operations and rules are executed by smart contracts and decentralized networks, and no individual entity can intervene alone, while raising the threshold for malicious behavior. "No-Admin key" provides greater security and credibility because no single entity can abuse power or conduct improper operations. However, this may also bring some challenges, such as if vulnerabilities or errors occur, they may need to be resolved through consensus mechanisms or community governance, and no central entity or individual can intervene quickly.
Advantages and disadvantages analysis
Redeploying a contract will cause the contract address to change
DeGateDEX, the most mature decentralized exchange based on ZK Rollup order book on Ethereum, claims that it does not have an administrator's private key and can achieve maximum user self-custody. It can be confirmed that once the protocol is fully deployed, the code execution logic cannot be modified. Recently, Degate redeployed the contract to update and fix a platform bug discovered by a white hat, which also verified that they truly achieved a mechanism without an administrator's private key, and the protocol can only be modified by redeployment. Redeploying the contract will cause the contract address to change. On the blockchain platform, each smart contract has a unique address that is used to identify and locate the location of the contract on the blockchain. When the project party redeploys the contract, a new contract address will be generated and the old contract address will be invalid. I think this is also one of the criteria for judging a truly decentralized platform. The code execution logic is irreversible, which greatly increases the threshold for evil from a technical level.
On the Current Status of Pseudo-Decentralization
While admin keys are common in the early stages of a project, they go against the idea of decentralization and make the entire project insecure. Because the admin key has special access rights to change the project's protocol or smart contracts. It is usually held by the project's founder or core team. Basically, many DeFi protocols and products that require users to top up assets are protected by "admin keys," which they claim are protected by features such as time locks and multi-signatures. This key is usually an Ethereum smart contract that can upgrade the protocol or product in a variety of ways. However, no DeFi project has been able to prove that the operational security of its admin key is strong. This means that the only way to truly feel safe when using these DeFi products is to trust the team's ability and its ability to protect the admin key.
This is often a test of human nature! And human nature often cannot stand the test.
Andreas Antonopoulos, author and educator of Mastering Bitcoin, defines a truly decentralized project as one that has no custodial control over funds. "That's a very important standard. I think it's the basic standard." By that standard, most protocols fall far short. Of the 15 projects reviewed on DeFi Watch, only InstaDapp, MakerDAO, and Uniswap were reported as having no admin keys associated with their products. The rest of the projects (including Aave, Compound, DDEX, Yearn Finance, Nexus Mutual, and Synthetix) have admin keys that allow varying degrees of control.
Aave's admin keys are owned by the Aragon DAO, which has only five members and only needs three "yes" votes to make sweeping protocol changes. Aave currently ranks third among all DeFi projects by total locked value (TVL), with over $1.38 billion locked.
This creates a single point of failure, because the administrator key is a critical part of the entire system. Once leaked or lost, it may lead to serious consequences. In the worst case, the team members are hacked or take the user's funds and disappear. In order to eliminate this centralized risk point, admin key and DAO governance are adopted. So some people argue that DeFi projects with "God mode" administrator keys are actually considered a way to protect user funds, and are mainly used with security features such as time locks and multi-signatures.
Decentralized protocols and governance
Projects that want to achieve No-Admin key need to face more new challenges. What if there is an error in the way the project is built? How to fix it? What if the community votes to support a false change to the project? If the project is attacked, what controls are in place to ensure that the attacker will not succeed when time is of the essence?
1. Fixing project build errors: If an error occurs in a project, then in a No-Admin Key environment, fixes usually require community consensus. Usually, voting is conducted through decentralized autonomous organizations (DAOs), and only after a certain percentage of votes are agreed can fixes be made. This process may be slower, but it ensures fairer decisions and avoids decisions made by a single person or small team that may be detrimental to the community.
2. Fake changes to community voting: While the decision-making process of a DAO can be manipulated, in general, since voting power is usually tied to the amount of tokens held, large-scale fraud requires controlling a large number of tokens, which may not be economically practical. In addition, the voting system can be designed to prevent such behavior, such as by introducing a staking system where voters must freeze a portion of their tokens to vote.
3. Control measures when facing attacks: Generally speaking, the security of a blockchain network depends mainly on its degree of decentralization and the size of the network. In a project without an Admin Key, there may be no quick way to prevent attacks. However, the community may use its consensus mechanism (such as voting) to reach consensus and take action as quickly as possible. In addition, technologies such as Layer 2 solutions can also be used to enhance the security of the project.
4. "Give" the keys to the community, or create a multi-signature wallet with the keys and elect well-known community members to hold these keys. Some other projects burn keys, which means their contracts (protocols) cannot be easily updated and new contracts must be deployed that users can choose to migrate to. DApps are created by smart contracts deployed by developers or teams. The contract has 1 private key as the controller, which eliminates the trustlessness of blockchain technology and can only be reduced through multi-signatures.
In general, No-Admin Key projects may face some new challenges, but their decentralized nature enables them to provide more fair, transparent and secure services, which is also one of their main advantages.
Or as Vitalik asked many Rollups teams, "next year", they are all trying to get training wheels! But next year after next year, how many next years are there! It must be a long and difficult road. Embrace complete decentralization and be your own God! It takes courage!
Reference:
1.https://github.com/Loopring/protocols
2.https://github.com/degatedev
3.https://balajis.com/p/1-vitalik-buterin-on-starting-new-69b#details
