Fringe Finance’s Strategy to Address Censorship & Centralization Risks
-by Brian Pasfield, CTO @Fringe Finance
The DeFi (Decentralized Finance) ecosystem and its various projects and protocols exist on a spectrum of censorship resistance. Some protocols are centralized and, therefore, less censorship-resistant, while other protocols are relatively decentralized and thus more censorship-resistant.
It’s often forgotten that the ultimate purpose of DeFi is censorship resistance. In this paper, we will explore some aspects of what makes various DeFi projects and protocols more or less censorship-resistant, as well as the censorship and centralization risks to which the Fringe Finance DeFi money market platform is most exposed. We will also review how Fringe has and will continue to address these risks. The points addressed in this article apply to many other Defi protocols and not just to Fringe.
We’ll be using the term DeFi to refer to the DeFi ecosystem as a whole, however, when we discuss attacks against DeFi, this will refer specifically to attacks against the more censorable elements of DeFi.
Censorship & Narrative Attacks on DeFi
During the month of August 2022, the DeFi ecosystem experienced censorship attacks from authorities, with events such as the Tornado Cash sanction and the subsequent blacklisting of additional addresses by USDC being the most prominent examples. Additionally, authorities expressed further intent to continue attempting to censor DeFi with the release of the US Federal Reserve DeFi report “Decentralized Finance (DeFi) — Transformative Potential and Associated Risks” and the US Whitehouse’s Office for Science and Technology Policy’s report titled “Climate and Energy Implications of Crypto-Assets in the United States” (8 Sep 2022).
It is safe to say, given that these papers heavily rely on fallacious arguments ostensibly concerned with the environment (OSTP’s report) and a disregard of many salient facts (such as no mention of censorship-resistant crypto being necessary to prevent the authoritarian overreach that authorities are undertaking), that these attempts have been largely driven by political, financial and ideological imperatives. The takeaway here is that established players (which fund political interests) would prefer to continue to own the pie as opposed to having it decentralize itself and become censorship-resistant. Narratives attacking permissionless cryptocurrencies are set to continue and may eventually be used as the pretext for further censorship attacks.
Censorship being carried out by authorities on centralized tokens and CeFi (Centralized Finance) platforms dealing with cryptocurrencies is an essential validation of DeFi’s core value proposition of censorship resistance. Paradoxically, it’s the very existence of threats to DeFi that makes DeFi necessary and gives way to its core value proposition.
Most DeFi projects have dependencies on other aspects of the crypto/DeFi ecosystem (e.g., the crypto ecosystem has a significant dependency on centralized stablecoins), some of which may introduce censorship and centralization risks. It is essential for DeFi projects to understand their interdependencies in order to adequately address these risks.
Though Fringe Finance has already specifically engineered many aspects of protection from various censorship and centralization risks, this is an ongoing process as new threats emerge. The following is a list of the key aspects of the Fringe ecosystem where censorship and centralization risks apply. We explore each item and outline Fringe’s action to date and plans to further mitigate the censorship risks.
Custodial lender and collateral assets
Some tokens represent off-chain custody of assets, including some popular USD-pegged stablecoins and wBTC, which are confiscatable or at risk of the custodian carrying out a rug-pull.
Fringe Finance currently employs one stablecoin with off-chain custody as the sole lending asset, and therefore Fringe’s lenders are exposed to this asset and its associated risks.
To address this issue, Fringe Finance is currently testing a new upgrade to the platform to support additional lending assets (as of January 2023), including support for decentralized non-USD-pegged assets (such as wETH) to reduce the threat from centralized assets.
Pausable assets and blacklists of borrower lender and collateral assets
Some of Fringe’s collateral assets, such as BNT, MATIC, LIDO, REN, IOTX, MANA, and OGN, can be paused by their issuers. If the centralized issuing entity pauses their token, it can disrupt Fringe Finance’s stability mechanisms and prevent efficient liquidations, potentially leading to platform insolvency.
Similarly, some of Fringe Finance’s lender capital assets, such as USDC, have the ability to set blacklists. If Fringe Finance’s contract addresses were to be added to USDC’s blacklist, the related lending market on the Fringe Finance platform would become inoperable as core lending functions, including supplying lender capital, withdrawing lender capital, borrowing, and repaying (including liquidations), would be disabled. It is important for users of centralized assets like USDC to be aware of the risks associated with these instruments, regardless of the platform on which they are deployed.
To address these issues, Fringe has adopted the following tactics:
- Add additional whitelisted capital assets that are not censorable. (Fringe is currently testing an upcoming release that will include support for additional lending assets.)
- Add lender assets that cannot be blacklisted and remove lending assets that do.
- Investigating the possibility of wrapping collateral assets to mitigate the impact of contract pauses.
- Setting lower debt ceilings on collateral assets that can be paused to reduce the impact of potential adversarial measures.
Centralized price oracles
Price oracles are essential to the efficient operation of many DeFi protocols. While there are various oracle models, some are more suited to lending platforms than others. Some DeFi price oracles have centralized components, such as Chainlink’s node operators, which are subject to coercion by state actors and bribery attacks.
To mitigate some of the centralization issues with oracles, it is possible to use a distributed API (dAPI) architecture that aggregates multiple oracle sources, providing redundancy protection and allowing the exclusion of oracles that report outlier erroneous results. There are emerging on-chain distributed APIs that can fulfill this requirement.DeFi protocols themselves can also implement dAPI mechanisms.
To overcome some of the centralization issues with oracles, there is an opportunity to use relatively cost-efficient geometric mean time-weighted average price (GMTWAP) feeds on Ethereum (i.e. via UniswapV3 and its clones). Ethereum’s move to PoS has complicated this option, but Fringe has devised a mechanism to address this.
Fringe Finance is exploring various options to improve asset price determination, including our resolution to the issues that arise with PoS for GMTWAP price feeds and employing a dAPI mechanism to reduce the centralized oracle risks. These are currently in the design phase, and we anticipate releasing new price oracle mechanisms to overcome the centralized oracle issue.
DeFi dApps need to be hosted somewhere. Often, DeFi projects host their frontend on centralized servers, which is exposed to the risk of the centralized hosting provider deactivating the website through coercion from an authority or because of ideological reasons.
To mitigate this risk, a DeFi project can provide an open-source free-to-download frontend that can be hosted by any actor or deploy the frontend on IPFS (a file-sharing peer-to-peer network for storing and sharing data, files, and websites in a distributed file system).
Therefore, if a hosting provider deactivates a website that hosts the dApp, that dApp’s frontend can be deployed and hosted elsewhere with little disruption to the DeFi protocol. Ideally, multiple instances of the dApp frontend can be hosted simultaneously by independent parties across a range of jurisdictions and hosting providers which renders impotent any single actor’s attempt to deactivate any single frontend instance.
With the deployment of the frontend via IPFS, a more predictable solution is achieved, though possibly at the (slight) expense of performance.
Fringe is in the process of open-sourcing our frontend codebase. Additionally, the Fringe DAO can incentivize actors to host the frontend by offering grants. Fringe is also planning to deploy its frontend via IPFS.
Similar to the risk of DeFi frontend hosting websites being deactivated, DeFi backends are at risk of being deactivated by cloud server providers arising from coercion by authorities or the hosting platforms’ ideological imperatives.
Backends typically collect and serve chain-related statistics and other API endpoints that provide services to the dApp frontend. Backend endpoints often house credentials of the dApp to enable access to authenticated third-party services, such as obtaining token icons from Coinmarketcap. Mitigating the risk of backend servers being deactivated requires different approaches for each component of the backend.
Collecting and serving statistics relating to chain-related data can be achieved in a more decentralized manner using decentralized blockchain indexing services such as The Graph.
Hosting of API endpoints can be achieved in a more decentralized manner by making them open-source and allowing anyone to host them or by using services that do not require authentication.
Fringe has rebuilt its backends to employ The Graph’s latest decentralized solution to serve chain-related data and to remove reliance on authenticated service providers of token icons. This enhancement is currently being tested for release.
Centralized RPC providers
RPC providers serve chain-related queries to the dApp’s backend. Examples are Infura and Alchemy. Many RPC providers are centralized, which makes the RPC provider susceptible to state coercion aimed at forcing it to deny service to a given dApp. This is not critical for a dApp if there are alternative reliable RPC providers for the blockchain they are interested in, to which they can relatively quickly repoint. This only becomes an issue for dApps if state actors coerce all (reliable) RPC providers to deny services. In this event, there are viable emerging decentralized RPC providers that may be able to be employed.
To avoid the issue of too few RPC providers, it is important that a blockchain has low hardware requirements to operate a validator node. This will better allow the proliferation of RPCs and thus provide more options for dApps. Some blockchains have very high hardware requirements to satisfy specific design imperatives such as high throughput (e.g., Solana, Binance Smart Chain), but this limits the number of RPC providers and hence increases the risk of centralized RPC providers.
To date, with this in mind, Fringe has designed our RPC integration so that it is easily reconfigured if the need arises to change RPC providers. Given centralized RPC providers represent a relatively low risk for Fringe, Fringe has no immediate plans to take any further related action but shall monitor this ongoing. Our current architecture supports any action that may be necessary if this threat materializes.
On a slightly different topic of personal security, centralized RPC providers (such as Metamask) could be linking users’ transactions to their IP addresses, and reporting this to state actors. One can mitigate this risk by routing RPC calls through Tor or a VPN, running one’s own full node, or frequently changing which third-party RPC provider one uses.
Many DeFi blockchains employ PoS consensus mechanisms, and even Ethereum has migrated to PoS as of September 2022. PoS introduces attack surfaces not present with PoW. The two primary vulnerabilities PoS introduces are coercion of large node operators to censor transactions and bribery attacks on node operators.
Censorship attacks pose a risk for a PoS chain, given DeFi’s core value proposition is its censorship resistance. This is a critical issue if a majority of node validators are acting maliciously (including by coercion from state actors). Currently, approximately 70% of node operators are censoring Ethereum transactions. While it is unlikely that all node operators will partake in such censorship given their jurisdictional spread, the net effect of a proportion of node operators censoring transactions is that it takes longer for a censored transaction to be confirmed on the blockchain. So long as node operators are not colluding, this impact is inconvenient but not existential.
If the majority of node operators collude, however, it is possible that they can orphan non-censoring blocks. This is considered an existential risk. (To note, this risk also exists for PoW blockchains, though the mechanisms and degree of risk are different.)
A bribery attack would render the PoS chain unreliable and, therefore, unusable.
To address the risks introduced by PoS, Fringe will identify viable EVM PoW chains to deploy the Fringe ecosystem. At the current time, there are few viable EVM PoW options, but it is Fringe’s belief that once further attempts to censor PoS meaningfully materialize, this will change.
The coercion and bribery attack risks of PoS chains potentially risk the capital on these chains. This applies to any DeFi protocol on PoS chains and not just to Fringe.
Doxxed teams mean that there are individuals identifiable by their nation-state identities who can be coerced by state actors. This presents a number of problems, including:
- Projects could lose team members who are instrumental in the project’s success,
- Team members could be coerced into acting contrary to the project’s benefit,
- Through coercion, administrative control of some or all of the smart contracts could fall into the hands of malicious/state actors,
- The negative impact to broad innovation arising from the chilling effect that state persecution has on individuals’ willingness to operate projects in the DeFi industry.
The Fringe team is working toward a more decentralized DAO model. This will remove some reliance on known individuals to direct the project. It’ll also reduce the state coercion risk of currently doxxed team members. Another possibility to be explored and that is growing in popularity is the incorporation of pseudonymous team members.
Indeed, since the events of August 2022, anecdotal evidence is emerging of a notably material segment of DeFi contributors dispensing with their doxxed identities and instead adopting pseudonymous personas. We see this trend continuing as new threat models emerge over time.
Centralized project code repositories
Though not a direct risk to users’ funds held in a DeFi protocol, the risk of centralized source code repositories can be disruptive to a DeFi project. The disruptions arise from potential losses of code and introduction of delays to a project’s ability to deliver code updates and roadmap items. Centralized source code repositories include the popular Github, which has censored various code repositories and famously deleted the Tornado Cash code repository in August 2022 (though it’s now reinstated).
Fringe Finance decided to initially use GitHub due to the various teams’ familiarity with the platform, yet is planning to migrate to a more censorship-resistant platform in time. Meanwhile, Fringe keeps local backups.
Centralized smart contract admin
A risk for DeFi users is the level of trust that must be placed in the administration of DeFi protocols. The risk is the possibility of protocol admins acting contrary to the interests of their users either maliciously, through error, or from coercion by state actors. Single points of dependency are also a part of this risk, given that, if a critical team member suffers incapacitation or death, the protocol may be rendered ungovernable. Trust minimization is the goal against these risks. Ways to mitigate this risk are to decentralize protocol administration and minimize governance.
Fringe Finance has designed and constructed the platform’s smart contracts to be compatible with multisig admin facilities, such as Gnosis multisig vaults. While this introduces the overhead of needing multiple parties to apply governance changes to the protocol, it serves several key benefits of removing centralization risks to better assure users and removes single points of dependence on any single individual. Also, this better allows pseudonymous admins to be substituted in events of inadvertent doxxing.
If “pseudonymous admins” do not sound desirable here, remember that it is highly likely that both the crypto and “normie” world move closer to one where pseudonymous entities are further recognized as valuable assets. As this trend progresses, pseudonymous reputations will play a higher role in users’ salaries, insurance premiums, job eligibility, etc. More and more people and organizations will increasingly operate within the “pseudonymous nation”, and thus establishing and maintaining reputations will be highly important. As the online world becomes increasingly pseudonymous and reputations gain value, users will hold them in higher regard, increasing their perceived responsibility. For these reasons, combined with censorship resistance, pseudonymity is to be preferred.
DeFi protocols with excessive governance parameterization are subject to the risk of deleterious configuration either through error or malice. The goal is to minimize the governance parameters that can be adjusted by protocol admins.
Fringe Finance has taken a progressive approach to governance minimization. This means that a range of governance parameters are initially configurable, but in the future, some parameters will be progressively ossified, unable to be altered. The rationale for taking this progressive approach is to ensure the nascent protocol is initially flexible to best ensure it meets market conditions. As it matures and validates itself, certain governance parameters will require progressively less adjustment.
Time delay governance changes
To minimize the possibility of any malicious actor applying deleterious governance changes, Fringe has constructed time delay mechanisms when applying smart contract governance changes. This provides assurance to users that governance actions are aligned with the platform’s benefit. It also minimizes the impact of state actors applying coercion to affect governance changes which pose a risk to users’ assets.
Fringe has also built an open-source Pending Governance Changes utility (soon to be released) to allow anyone to query the pending time-delayed governance changes. With it, interested parties have trustless visibility of upcoming time-delayed governance changes. This is part of our strategy of trust minimization as another step towards the Fringe project transitioning into a DAO governance model.
The DeFi ecosystem needs authorities to undertake attacks on its censorship resistance; otherwise, there would be no need for DeFi. Authorities are, at present, carrying out attacks on DeFi, which gives DeFi the opportunity to adapt in order to survive.
We’ve listed various current attack vectors that threaten DeFi in general and the Fringe Finance platform in particular, together with how Fringe Finance has and will continue to address those threats. Threat models will evolve over time, so DeFi projects will need to continually assess emerging threat vectors and respond accordingly. This article’s intent has been to provide some insight into how Fringe Finance is ensuring censorship resistance to allow users to assess risks in using the platform. Hopefully, this also inspires other DeFi builders to achieve the best from their DeFi projects.
Notes on named references to other projects: This article may mention other projects by name. This is not to be taken as either an endorsement or criticism of those named projects but is used to provide illustrations for the purpose of clarifying the article’s content.
About Fringe Finance
Fringe Finance is a decentralized money market designed to unlock the capital spread in crypto assets regardless of their capitalization and supported network. With a next-generation DeFi lending & borrowing ecosystem, Fringe aims to unlock the dormant capital from traditional financial markets and all-tier cryptocurrencies.
For more information on Fringe Finance, visit our website.