[Phase 1] HIP 58 - Removal of vouchallengers

ludovico · July 16, 2022, 11:22am

HIP: 57
title: Vouchallenger removals framework
author: ludoviko.eth
status: Phase-1
created: 2022-07-16

Simple Summary

This HIP proposes a framework to allow to make removal requests under any of the already existing reasons for removal, in cases where an account is evidently vouching maliciously.

Abstract

The proposal will allow vouchallengers to be removed if they meet the vouchallenger definition in the body of this HIP. Vouchallengers will be removed and cannot re-register after a period. This will be enforced by a modification of the PoH policy. It will not be retroactive but the ratio from previous actions will be considered if there is a new vouchallenge.

Motivation

Vouching a profile is an act of responsibly giving the recognition of a legitimate and valid submission to the registry. Since the launch of Proof of Humanity, vouchallenging as in “the act of using the vouch feature of registered humans to make another profile vulnerable to challenge” has become a serious issue. As of the day that this HIP is being written, 57 profiles have more challenged vouched profiles than valid vouches, resulting in 211 challenges and a damage to the registrants totalling around 25 ETH. and the number is growing. A series of governance posts raising the issue and some solutions were proposed during this time. @donosonaumczuk has proposed a robust and good approach for L2 rollups and future upgrades to PoH’s smart contract, but in the meantime there are possible solutions that could make it harder (important! not impossible!) for malicious actors to continue this attack.

Specification

1. Add removal criteria
In the latest PoH policy version, there are some explicit criteria to ask for a profile removal. A new removal criteria that allows a vouchallenger to be removed can be added. We can instruct jurors that in the case of a removal of a vouchallenger, if the alleged vouchallenger challenges this removal, to rule against the vouchallenger (effectively removing them from the registry).

2. Add admission criteria
In order to avoid the vouchallenge to re-register after a removal, another modification to the document will allow the cases where the removal was due to a vouchallenge to be inadmissible for a period (to be determined in future phases).

3. Conditions to consider a vouchallenger as such
To be precised before Phase 2 voting. The most supported option informally was

At least 4 vouches total
A ratio of more than 1 to 3 (more than 1 vouchallenge in 3). Example: 10 vouches that ended in challenge over 30 total is accepted. If there is an 11th vouchallenge, then it fits the vouchallenge criteria.
Option to be considered: Make the victim the only person allowed to perform the removal (this would prevents an abuse of this norm from malicious actors)

4. Retroactivity
This HIP is not retroactive to profiles that performed vouchallenged in the past. However, if a previously active vouchallenger performs a new attack, the total ratio will be considered (not the ratio from the start of the validity of this HIP).

Rationale

More robust solutions than this one will come in the future, but this solution tries to ammend the situation as of today, which has brought a large impact to the registration process.
The ratioes proposed to consider what is a reasonable margin of a person range from 1 vouchallenge every 2 total vouches (1:2 ratio) or 1:3 ratio.

Implementation

Challenges to the removal of a vouchallenger should be ruled against the challenger in cased of a dispute or, as an alternative, challenge to such removals (of the vouchallenger) should provide evidence that the holder of the vouchallenged person received consent from the vouched person of such act.

ludovico · July 16, 2022, 6:07pm

Here is an csv file with the 57 accounts that have participated in vouch and challenges (taking into account the ratio “vouches that ended in challenge / total voches > 50%”

clesaege · July 16, 2022, 6:49pm

When we created the protocol we had planed to potentially give “fines” (that they need to pay before being able to reregister) to people misbehaving but this hasn’t been implemented yet.
Currently, the penalty for vouching wrong profiles is all or nothing (get removed or nothing). We could have something more balanced where a removal or fine is only given if a too high proportion of vouched accounts end up challenged (could be 50%).

Note that currently vouching someone to challenge him after is legal, so any rule about this should not be retroactive.

NingFid · July 23, 2022, 3:36am

The motivation of this proposal is good but the procedure for penalizing vouchallengers is better below:

herniadlf · July 26, 2022, 2:52pm

I think that @donosonaumczuk’s proposal is more robust, but need some technical implementation. I say that, until that solution or something similar is implemented, the policy accepts as valid a removal request from a vouchallenger. And, as Clement said, this should not be retroactive.

Today, it’s easy to do a vouchallenge. Thus, neither the vouch nor the challenge is being used in the way it was intended to enhance the registry. It’s just being used as easy money. At least, let’s regulate this by policy now and make the challenger’s job to be more sophisticated to challenge real cases of maliciously vouched sybils.

ludovico · July 26, 2022, 3:03pm

I was just talking with Alan about this and I too agree his solution sounds more permanent.
Re. retroactivity:
No current vouchallengers would be requested for a removal, but I think that as soon as one of the vouchallengers active before this HIP gets approval vouchallenges after the approval of this HIP, the ratio that would be taken into account is all the previous one (if not it is hard to see and prove when the action happened). I hope that we all agree about this.

ludovico · July 29, 2022, 4:25pm

Hello everyone, I have updated and expanded the HIP to meet HIP-5 regulations.

herniadlf · July 29, 2022, 6:37pm

The removal is enough punishment in my opinion. This ^ may add unnecessary complexity.

- Or provide evidence that they are using their profile for vouchallenge attacks, according to what is layed out in HIP-XX.
  - Example: Send the following removal request
    - Evidence Name: This profile is performing vouchallenges
    - Evidence Description: there has been x profiles vouched that resulted in a challenge, over a total of x vouches of this profile.

Will you consider to be more specific in the policy rather than linking to a HIP? I mean, explain there what a vouchallenger is, the ratio and the retroactivity.

ludovico · July 29, 2022, 6:56pm

It is absolutely necessary. The removed profile can immediately regain isRegistered status and continue vouchallenging right away (like the “fence gate with nothing around it” meme).

The PoH policy will be modified, so it will be all in a single document. The example is just making explicit that x/total vouchallenges were made (because it should be part of the claim and information for the jurors to decide).

herniadlf · July 29, 2022, 8:01pm

I understand, but in that case I think is better the ratio to become more rigorous if you have been already removed as a vouchallenger. Perhaps, the second chance the ratio will increase to 1:10. Maybe a combination of both (increasing ratio & registration cooldown) ?

Also, the 1:2 ratio is a bit soft. It’s not hard to make 2 good vouches and then make 1 vouchallenge again, staying ratio-compliance. Maybe 1:5 ?

Despite my comments, this HIPs is enough to stop the current vouchallengers and that’s the important step here.

ludovico · July 29, 2022, 11:45pm

1:5 sounds like a good ratio, and higher the next time.
The other parameter that still needs to be set is the penalty. I’d set it to 6 months to a year, minimum. Higher ratios for repeating offenders would help reduce or even eliminate the penalty (e.g. Zero tolerance if the person re registers)

NingFid · August 1, 2022, 11:25am

6 months penalty sounds fair. Can the “re admission criteria” be translated in days instead of number of months though since months have different number of days?
Say, 180 days for that 6 months.

0xjean.eth · August 3, 2022, 7:50am

I’m wondering if these modifications would indeed significantly reduce vouch + challenges, because attackers can withdraw and resubmit their profiles before they are “removable”.

Currently this process costs 1 week + around 20 usd when gas is low + the effort of making a new video with another address. (On Gnosis, this cost is negligible.)

With the current proposal, they could vouch erroneously for 4 people before they risk being removed.

Also they can “load” their stats by vouching people correctly, or even randomly - facilitating the work of challenger bots that wait for a vouch to challenge. (0xe7173f0d9703651b6aad6fe1b2df6e75ae5a9dda alone has made around 30% of the challenges of 2022)

Apart from that, notice that vouch+challenges correspond to around 30% of total challenges right now. We can assume a significant chunk of users will still be challenged with honest vouches.

If we are talking about helping extend the time people have to fix their submission, I believe it might be easier to motivate people to submit their profile without their deposit, share their profile around, and only then fund it fully.

I’m not sure about the impact it would have on the UX of looking for resubmissions either. For example, if a submission is removed, but you submit a blank video with no deposit, then faces.humanity.tools or other tools might not find it. So, if anyone wants to realistically find a vouchallenger that is resubmitting with another address, they might have to look up every new entry using their own system, store the photos/videos of people removed retrieved from the ipfs on the original transaction.

Maybe the vouchallenger will not want to risk their deposit, but they might realize nobody is checking.

That said, maybe it’s good even if it just looks like it’s helping, and that’s enough?

nicobilinkis.eth · August 24, 2022, 12:16pm

GM everyone.
I think that calling for vouchallengers’ removal is actually not the best path forward.
If I’m not wrong, the KlerosLiquid smart contract has the posibility for jurors to vote “Refuse to Arbitrate”.
If this happens, the challenged submission would get removed from the registry (this is what should happen, given that once in pending registration it can’t be accepted if it doesn’t comply with the policies). The main difference with a NO vote, is that only the juror’s fee will be paid and not the challenge bounty.
This will allow for the submitter to only lose ~10% of the deposit, as they would only need to pay for half of the juror’s fee (0.0125 right now).
Having that in mind, we could modify the rules and make jurors Refuse to Arbitrate on every challenged submission whose voucher has a challenge ratio of more than X (I think 33% could be a good number).
If there is something wrong in my logic, please point it out.
Otherwise, I think we should move forward with this idea.
Let’s get this debate going!

Andrei · August 31, 2022, 3:13pm

How about implementing a mechanism to prevent vouch challengers in PoH v2?

A way to do this would be to have a wrong vouches counter for every human which gets incremented for the voucher every time he vouches for a submission that was successfully challenged. Once this counter reaches a threshold (say 3), it’s not possible for that human to vouch any more. The counter could be reset when the person reapplies (or not). This solution has the advantage that it would be very convenient to implement, it is written in the code so there would be no confusion around it and would discourage vouch challengers (and people vouching without checking in general).

herniadlf · October 17, 2022, 12:39pm

Another vouchallenge and counting… This profile has 10 vouches, and 9 were incorrect submission. And now appears a new one these days.

We must face this to strengthen the concept of vouching, not just to combat vouchallenge itself. We cannot allow vouch to be taken lightly.

I will be reviewing what has been commented and discussed here in this thread to see if it’s possible that we move to phase 2.

herniadlf · October 18, 2022, 12:46pm

Thinking about merging the ideas exposed here and short term solutions… I think the best approach is:

At first, no ratio applied. If you have 3 vouches that ends in a “incorrect submission” removal, you could be removed. We could add this as a remove criteria for being a vouchallenger.
- Retroactiveness. If you already has 3 or more vouches of this kind, you are okay. But after one more incorrect submission vouch, you could be removed too.
After a removal, 3 months of cooldown before a new submission. If you make a submission within that 3 months, you could be challenge.
If you was already removed as vouchallenger and re-enter to the registry, the next submissions that you vouches and get an “incorrect submission” challenge has to be voted as “Refuse to Arbitrate”.

I know it’s not a definitive solution. Without changing the contracts I think it’s the best we could do for the moment.

@ludovico ! What do you think? I don’t know if you have the time to launch this hip.