[Question] Anchor security and product vision

Hey guys,

So I joined the Twitter Anchor AMA space and there are some questions that has not been answered. I would be glad if anyone from the Anchor team could help me with this.

My first question is that I know that anchor already has bug bounty programs to ensure smart contract security, but is there any measures being put for the security side to guard users from any hacking attempts?

And my second question is, what are the team’s vision for anchor in the future assuming Anchor is widely adopted by the general population?

Thanks so much!

Hey thanks for your contribution here.

Most of the community ideas are right on this forum. Here or some more popular ones from lately:

1. Call for ideas: how to increase the value of ANC? - #35 by Tintin
2. Call for ideas: how to encourage more borrowing? - #15 by Kram
3. Anchor October AMA Community Ideas Summary

As far as security goes:

1. Anchor has ongoing audits. We are working on one now - Proposal: New security Audit for Anchor Protocol - #43 by xwdx
2. I am hoping we can more support to get bug bounty higher.

Hey bitn8, thanks so much for the information. I really appreciate it. I hope I can join the community here and have a positive impact on the protocol.

Thanks again!

Thank you for the concise update

Does the Anchor team have a DR (Disaster Recovery) plan in place?

In the event of a hack, what are the teams emergency procedures?

Also what monitoring is in place to identify any erroneous activity taking place within the protocol?

I have some ideas. A new governance contract is needed. Coming into the new year I plan to share my independent research on this to see what everyone thinks and hopefully gain traction.

The key point is really having a mechanism to be able to freeze the protocol. The idea would be staking a huge some of ANC to be able to freeze in times of an emergency, similar to makerDAO and thorchain etc. The ANC is locked until the community approves the risk metric vote or if the community votes it was malicious it is slashed. IMO this is really the key to having an emergency plan in place. You can plan until your dead in the face, but you’ll probably never predict how or why a hack happened so having an emergency stop freeze stop gap will allow the proper planning to happen in times of crisis.

Hehehe glad to see there was some cross pollination on the freeze idea ^^

I’m very interested in the original question asked by Fred. I’m very concerned about my funds on Anchor Protocol being subject to a hack.

I would love to see Anchor Protocol put in safety measures to provide its users appropriate security. For example, a whitelist for withdrawals, passwords for withdrawals, 2FA for withdrawals, etc.

I don’t even see any kind of settings where these things could be set up.

Does anyone know if Anchor Protocol is even addressing this issue and what they’re doing about it?

I’d be willing to use the platform much more than I am if I knew my funds were protected.

I would suggest getting a hardware wallet, that is more secure than 2FA.

Can I stake my UST on Anchor Protocol from a cold wallet? If so, how do I do that?

yes, it connects to the protocol to make the approval.

Your worry should not be your own funds (as long as you use a hardware wallet and a secure computer), but the protocol smart contract hack, and funds being drained out of the protocol as a whole.

That and the continual of abusive yield milking practices like mim being allowed and even endorsed by TFL. That is more long term though and not immediate security, though mixing with criminals and money launderers is never good and brings both security and governmental freezing of funds risk.

I’ve moved all my funds off Anchor because I never got a sense of security from them. I asked multiple times and never got any response which gave me any comfort.

I’ve moved my UST to Nexo where I’m staking them for 15%. Nexo offers $375 Million of insurance coverage for free and store their coins in military grade storage, etc.

While I’m still open to coming back to Anchor, I won’t until I feel safe doing so. For now, Anchor is in my rear view mirror.

Hi WaterLover,

Would like to address few of your concerns. There are several risks we are facing when using crypto or DeFi.

1)Wallet Risk
You may lose all your fund if your wallet is being hacked. Either you shared your private keys with someone else or your computer got hacked, you lost all your fund. But that is not the risk from Anchor protocol. Either aUST or UST are stored on your own wallet address.

2)Protocol Risk
If you worry about whether your fund is safe when depositing fund on Anchor Protocol, you are asking the right question. Decentralized finance space in crypto is full of problematic code and ill-considered design. They are more vulnerable to hacker (usually not scammer). Usually user in Defi replies on 3rd party auditing to provide confident for themselves that the protocol could be trusted. I believe Anchor has its own audit report published so you better check out their score and recommendation. (link:Security - Anchor Protocol)

3)Coin/Blockchain risk
This is probably always be overlooked by users. If the blockchain goes burst or your coin is collapsed, there will be nothing left no matter where you store your fund. You cannot eliminate this risk as long as you are participating in this space. As you are still getting UST exposure in Nexo, you are exposing yourself at 1)Terra blockchain network;and 2)UST pegging risk.

As for Nexo or BlockFi or Celsius Network, whatever crypto saving provider you choose, you should also make sure that they are well audited. And if you look at the insurance amount of Nexo, it is 375MM USD. Honestly the number is quite small when comparing to how much they actually manage, which could be 10 times more. 375MM insured means only first 375MM they lost will be covered by the insurance policy. After that, no insurance is covered.

So you could really see that both centralized service provider (Nexo) or decentralized service provider (Anchor Protocol) have their similarity and uniqueness in risk. No one knows who will burst first or whether any of them will go burst at one point. If you feel safer depositing fund on Nexo, go for it. But just remember you could always spread your portfolio and use all of them. Transaction fee is quite low and you won’t lose much moving fund around.

I don’t understand what you mean by ‘mim being allowed and even endorsed by TFL’. And, where are you saying that’s an issue?

Michael

I appreciate your breakdown. Yes, my concern is the Protocol Risk. I like Anchor but couldn’t get any sense of security regarding this issue. I asked several times and never got a clear answer and never heard from Anchor.

At Nexo, they take security quite seriously using 3rd party companies who use military grade storage protocols, etc. I understand that Nexo’s $375 Million insurance would be limited in a protocol wide hack, but at least it’s a lot more than the $0 amount of insurance Anchor’s providing. And, I don’t see how Anchor is dealing with the security issues nearly to the level that Nexo is.

I understand I can spread the risk, and that’s a good idea, however, I’m not sure if I’d feel comfortable placing funds at a protocol I don’t have a sense of security with.

Michael

How comfortable are you that Nexo isn’t a ponzi scheme? Is it audited, is it regulated? Any proof of reserves? How do they make their returns? Seems to me nobody knows, same goes for Celsius. It is totally opaque.

Those Cefi platforms can vanish overnight. Once one of them gets found out, there will be a bank run on all of them. Sounds super secure right?

I would say the risks of Nexo are higher with half the return. At least Anchor can’t be shut down and everything you can see is open source and visible on the blockchain. If the yield reserve drops towards zero you can just take your money out.

Why don’t you learn about Nexo before you knock them. Then, we can have an intelligent discussion about the matter.

Michael

Why don’t you answer my questions then, since I can’t find answers to them anywhere.

Your questions show a complete bias without any facts or information. So, there’s nothing to respond to.

Like I said, learn about Nexo and then we can have an intelligent discussion about it.

Michael

P.S. Here’s Nexo’s response to my question about my funds being covered by their insurance (which, is offered for free). Perhaps, you’ll find this informative. I’ve NEVER seen anything like this from Anchor… in fact, I can’t even get anyone at Anchor to respond to my question.

"As you may be aware, in the extreme and unlikely event of a transgression, all client funds will be retrieved with our $375 000 000 insurance from BitGo in accordance with their internal operational protocols. To achieve and maintain a top level of protection we are utilizing cold storage provided by the leader in multi-signature encryption technology: BitGo. Furthermore, the custodial assets are covered for up to $100,000,000.00 by the London-based insurance company Lloyd’s with its syndicate of underwriters. And this premium service comes at no additional cost.

What is more, the insurance policy covers all clients’ assets including EUR/GBP and stablecoins. As soon as a EUR top-up is received, the funds are automatically exchanged for EURx with a guaranteed 1-to-1 conversion rate to EUR at all times. Additionally, EURx is secured by asset-backed portfolios of overcollateralized loans and the collateral of each loan is in turn covered by the $100,000,000.00 insurance policy.

With all these layers of protection, we can assure our clients that they have no reason to worry about the safety of their assets.

Further to your inquiry, being a valuable part of the global crypto finance in its capacity as a digital assets institution, operating in more than 200+ jurisdictions, Nexo has obtained numerous licenses and regulations worldwide for the purpose of provision of its services, thus being fully compliant with all applicable laws and regulations, and highest standards in the finance and crypto industry. Regarding the above, Nexo is subject to various types of audits on a regular basis (financial, legal, administrative, etc.), as well as inspections and supervision by the respective authorities. Amidst increased regulatory interest in the cryptocurrency industry, we at Nexo are setting the bar high so as to prove to our clients and investors that the assets entrusted to us are indeed in good hands, a testament to which is the independent audit by Armanino who have confirmed:

• Fully-Backed: Your holdings on Nexo’s platform are backed by assets by more than 100%.
• Properly Managed: Third-party assurance that your funds on the Nexo platform are properly managed and accounted for.
• Always Available: 24/7 proof of Nexo’s ability to meet all liabilities owed to you at any time.

Last but not least, it shall be emphasized that Nexo is regularly expected to prove either before the relevant regulators, in the course of registration and licensing procedures or of subsequent inspections or audits, or before counterparties, that it is always compliant with the capital adequacy and liquidity requirements to ensure long-term financial stability. It has also developed and implemented anti-money laundering, privacy, security, IT, and risk procedures in full compliance with all local and global regulations and standards. The above not only protects Nexo’s clients and counterparties but also contributes to the overall financial stability in the blockchain space."

Michael