A short overview of how ECAF arbitration works

• Alice files a claim against Bob in which she:

• provides signature with her (old) key.

• posts a bond and swears on camera that she isn’t lying. She posts KYC docs as well.

1) The ECAF looks for an additional factor to justify the freeze.

2) The ECAF issues the freezing order.

• Block Producers load the blacklist.

3) The ECAF contacts Bob.

4) Bob has one month to respond, otherwise the ECAF issues an order to confiscate the money (or change the key to an account).

If Alice would try to scam Bob and the funds were sent back to her, scammers would be able to fund themselves and scale the process to as many victims as they can find.

The following examples are just a few cases that I was able to come up with. Scammers are financially motivated and will come up with new and sneakier ways.

It’s also important to note that I explained these scams in the EOSIO Gov Telegram channel countless times, and the response is usually hand-waving on how “no abuse had happened yet”.

Let’s start with adversarial thinking. Assume that Alice is an honest user, and see how scams might go through.

We didn’t start the fire

SCAM #1

Cost of attack: $50 + bond

• Scammer changes his account owner key and starts with unstaking.

• Scammer sells Alice some IQ coins (for Bitcoin).

• Scammer checks her account activity, to make sure she isn’t using her account anymore.

• Scammer files a claim against Alice.

• Scammer posts a bond and pays a poor shmuck in Egypt to provide KYC and a video confession (estimated cost $50).

• The ECAF checks for additional factors, notices the unstaking and changed permissions (check passed).

• The ECAF issues the freezing order.

• Block Producers load the blacklists.

• The ECAF contacts Alice, but since Alice doesn’t babysit her account, the one month time-limit is exceeded and the ECAF issues the confiscation order.

SCAM #2

Cost of attack: $50 + bond

Similar to SCAM #1, but the scammer sells Alice an account name instead of IQ coins (by changing the owner permissions to her key). This again passes ECAF checks. I have a reason to believe this scam was already deployed in one of the freezes (but luckily the victim responded in that particular case since many people were checking their coins at the launch).

SCAM #3

Cost of attack: $50 + bond

• Scammer phishes for Alice’s private key.

• Instead of risking the freeze order, the scammer sets the alarms on this account permission changes.

• Scammer waits for Alice to accumulate more coins… and, sooner than later, changes her permissions to the hardware wallet.

• Alice now thinks her account is safe, so, she decides to just ‘hodl’, and forget about it.

• Scammer files a claim against Alice.

• Scammer posts a bond and pays a poor shmuck in Egypt to provide KYC and a video confession (estimated cost: $50).

• The ECAF checks for additional factors, sees the changed permissions (check passed).

• The ECAF issues the freezing order.

• Block Producers load the blacklists.

• The ECAF contacts Alice, but Alice doesn’t babysit her account, so after one month the ECAF issues the confiscation order.

Alice protected her account with a hardware wallet, but she just lost her money anyway! She never consented to the ECAF “protection” in the first place.

When Alice comes to the Gov Channel, to protest against the injustice, the group admins demand proof of her claims. Alice isn’t technical and can’t explain how it happened, so she leaves dumbfounded and completely powerless.