Second letter to Polygon about multisig

Today, a followup letter was sent by DeFi Watch to Jaynti Kanani of Polygon. If a response is received, we will publish it right away. Follow Chris Blec on Twitter for updates.

May 27, 2021

Jaynti Kanani
CEO & Co-Founder
Polygon, formerly Matic

Dear Mr. Kanani:

Members of your team have made it exceedingly clear to me both publicly and privately that Polygon does not intend to respond to the questions that I posed in my last letter dated May 20, 2021.

This is quite a disappointing development as since I publicized the letter, hundreds of members of the DeFi community - including many Polygon users - have expressed a great interest in learning more about Polygon’s centralization risks. The fact that your team has chosen to remain opaque on these issues while accruing billions of dollars in Total Value Locked (TVL) is concerning to many.

Your team has indicated that it feels unfairly singled out since multisig security in DeFi is a widely used strategy. While it is true that many projects in DeFi use a similar multisig security structure to Polygon, we have never seen TVL under a single multisig grow to the level that you have achieved. We can no longer sit back and simply say “this is the way that it is.” There is now far too much at stake. It is time for all participants in this system to engage in open conversation about the questions that we have raised.

Your team has also stated that any discussion of problems without offering solutions is a waste of time. I disagree vehemently with this idea. It is very possible for a problem to exist without a pleasant or productive solution. The lack of a solution that meets the team’s approval does not mean that the problem should not be identified, discussed, and addressed by the community as it sees fit.

In the absence of a response from your team, the onus is left on members of the community, such as myself, to make educated guesses as to what the answers to the questions might be. I will attempt to provide some level-headed speculation here. If you find errors, I encourage you to reply publicly to correct me.

IMPORTANT NOTE: I am not a software developer and am engaging in speculation, not allegation. The opinions that follow – including but not limited to ruminations about the possibility of character flaws of any involved individuals – is pure opinion and conjecture and should not be considered to be factual by the recipient or by anyone else who receives it. The stated intent of this material is solely to speculate on what centralization risks may exist and what may be possible based on whatever information that is currently available to me (or not available to me).

1. Does the security of the Polygon network rely on the skill, honesty and integrity of 5 of the 8 multisig keyholders?

It appears safe at this point for users to assume that the answer to this question is “yes”. If Polygon’s multisig keyholders do not act with skill, honesty and integrity, it appears that the multisig could be exploited, stolen or otherwise compromised by either internal or external actors.

As was made clear in a series of tweets from Polygon’s Twitter account, this multisig apparently does have the power to upgrade the MATIC staking contract, which is a critical piece of Polygon’s network security.

So, we must assume that users are required to trust in the positive traits of both named and unnamed multisig keyholders for the survival of the network, and that users are required to trust that the team has some sort of willingness and incentive to stand up to regulatory attacks from very powerful governments.

This concept allows for a debate to begin over whether or not Polygon can be considered to be more centralized than exchanges such as Binance or Coinbase which employ more gatekeepers and safeguards than Polygon’s multisig model would likely allow for.

2. What is the worst outcome that could result if the 5-of-8 staking contract multisig were to be compromised?

This is a question that is very difficult to answer for someone who is not familiar with every aspect of Polygon’s smart contract code.

Therefore, unless you can add more clarification, we will need to assume that the worst outcome of the multisig being compromised would be a total network meltdown. The assumption is that transactions would not be able to occur, funds would be frozen, and the validator consensus mechanism would grind to a halt.

There are likely other possible outcomes that would not be as nightmarish as this one, however the question asked specifically for the worst-case scenario. Risk evaluation in DeFi is not about what is likely. It’s about what’s possible.

3. What evidence can the community consider as proof that each of the 8 signing keys is in the sole possession of a unique individual, and that 1 individual does not hold more than 1 signing key?

Multisigs have some existential problems when they are used as a security mechanism for a smart contract or, in this case, an entire blockchain. That problem is that there is generally no way to prove that each of the keys resides in the hands of a unique individual, and that no individual holds more than 1 key.

Obviously, if 1 person held 2 or more keys, that would partially invalidate the 5-of-8 security model.

Unless great care was taken during the key ceremony to produce evidence that all keys are in the hands of unique individuals from the point at which they are generated, then we must assume that the answer to this question is “no”.

If this is the case, and assuming there are no legal affidavits or other regulatory requirements that the organization must abide by (which there likely are not), then users have no logical reason to believe that the keys are uniquely owned, outside of the mere word of the members of the Polygon team.

4. How can users be assured that the private keys and/or mnemonics underlying each of the 8 signing keys were generated in a secure fashion, have been secured properly throughout their existence, and were not compromised before being designated as a multisig signer?

Another existential problem with using multisigs as DeFi security mechanisms is that there is rarely a way to prove that the private key or mnemonic that each keyholder is using to secure their signing key was created in a secure fashion and has remained secure since its origin.

Typically, when a multisig signing key is generated, each signer provides an Ethereum address to the key generator. That address is then authorized as a signing key.

Each address provided, however, was likely generated by an Ethereum wallet belonging to each new signer. That Ethereum wallet has a security model unto itself and was created under a specific set of circumstances that may or may not have resulted in it being compromised from its origin.

For instance, unless an unprecedented level of care was taken, there is no way to prove that a Polygon multisig signer doesn’t hold their signing key in a Metamask hot wallet that was created in a public coffeeshop with video surveillance on a computer with keylogging malware. Obviously, if this were the case, there are several ways that the wallet could have been compromised long before the signing key was ever assigned to it.

Therefore, unless Polygon can offer some sort of proof that every signing wallet was generated securely, users must assume that 1 or more of the signing wallets could have been compromised before the key ceremony.

5. Which jurisdictions govern the individual multisig keyholders, and are any keyholders breaking any local or national laws by participating in the multisig?

To the best of my knowledge, Polygon has not specifically named any multisig signers. Your team has stated that 4 of the 8 signers are Polygon co-founders, and the other 4 are people associated with DeFi projects built on Polygon.

There is likely no way to prove that this is true. Users would probably need to trust your word to believe that the signing keys are in the hands of the individuals that you claim. Therefore, it is impossible for users to know which countries the keys and keyholders exist in.

Even if users were to assume that what you say is true, there is still no way for users to know in which countries the keyholders live, in which countries they may have seizable assets, in which countries their families own property, etc. Any of these countries could claim jurisdiction over a multisig signer and attempt to force that signer to comply with new or existing regulations.

6. Where is Polygon’s managing corporation incorporated, and how many of the 8 keyholders are employees of said corporation?

According to a tweet from your team, the Matic Foundation has registered corporate entities in India, Singapore, Belgrade (Serbia) and the British Virgin Islands and this therefore “makes MATIC completely immune to any geography-specific regulatory concerns.”

Unless you can explain otherwise, then users should assume that each of these corporate entities and its members/employees is subject to rule of law of the nation in which it exists. For users to truly believe that MATIC and therefore Polygon employees are somehow immune to the rule of law of each of these nations would be quite a leap of faith. Regardless, it’s naïve to believe that governments will always act within the boundaries of existing laws and regulations. Governments tend to act quite irrationally, quite often.

Based on this, it seems that users cannot rule out the possibility that one or more of these countries could attempt to force Polygon members to comply with existing, or yet-to-be-created, regulations & laws surrounding cryptocurrency.

7. How would the Polygon/MATIC corporation or team react to a forceful government request to modify the staking contract or otherwise interfere with the continuity of transactions on the Polygon network?

For users to speculate on how the corporation which controls Polygon’s multisig would react to a forceful, possibly unfair regulatory attack will take a great deal of speculation. The best way to approach this is to do so based on incentives.

Such resistance could result in asset seizures, sanctions, or possibly even jailtime for multisig signers. What incentive does the Polygon team have to resist a regulatory attack and face these potential penalties?

It seems most likely that the incentive to comply with these kind of government requests – whether or not they are legal or fair – would be much stronger than the incentive to resist them and pay a considerable price. Therefore, reasonable users could come to the conclusion that it’s possible, and perhaps even likely, that Polygon keyholders could eventually find themselves in a position where they must cooperate with government requests to modify, freeze or otherwise compromise the integrity of Polygon in any way that they can using the centralized control of the multisig.

8. How can users be assured that the multisig signers will not collude to intentionally compromise the security of the Polygon network, if financial incentives ever exist to do so?

The Polygon staking contract multisig appears to have the power, with the approval of 5 of 8 signers, to upgrade a smart contract which secures over $1 billion of staked MATIC tokens. Aside from the risks posed to the security of the network, there also appears to exist a large financial incentive for members of the team to attack those funds.

Unfortunately, DeFi is an area of technology that is full of amazing innovation accompanied by treacherous deceit. When users are required to trust a small number of individuals with unfettered access to over $1 billion in deposits, they must take human nature into consideration. As stated above, this is not intended to be an attack on anyone’s character. It is an impersonal discussion of what is possible - not what is likely.

It seems quite possible that that there is no financial incentive for the multisig signers that could be valued at more than $1 billion. Therefore, it’s unfortunate but not unreasonable for users to believe that 5 of 8 signers on this multisig could be tempted to collude to steal funds.

With this letter, I am attempting again to start a conversation between your team and concerned community members. I ask that you please respond to this letter with valid and transparent counterpoints to the speculation that I’ve offered here. This is not just about Polygon anymore. It’s about building resilience in DeFi. We rely on DeFi’s most successful and influential projects to lead the way, and that onus has now fallen to Polygon.

Contact me at [email protected] to arrange for a public voice chat via Twitter Spaces, or send a written response which I will gladly publish on my website defiwatch.net. Alternately, I suggest publishing a blog post which offers the greater community a response to these very legitimate concerns.

With sincere hope for a productive conversation,

Chris Blec
Founder, DeFi Watch