Perpetually KYC'd Coins Using Evil Covenants

I have been thinking about this topic and have a random collection of thoughts to share here.


Regarding the features of the KYC covenant described in OP:

This is an advantage; at the same time, a signing server can create multiple spending paths such that if the key on one path is compromised, they can switch to another key. That doesn’t help in cases where the attacker has also compromised the user key, but helps recover in cases where the user key is not compromised. This might be “good enough”, since the case of the covenant, if the user key is compromised, this can also lead to theft (see point below about stealing KYC’d coins).

I don’t think this will be acceptable in practice. If an address is found to be compromised authorities will want to be able to immediately remove it from the KYC list. Two weeks is a long time to allow an address to be abused.

Stealing coins is likely more difficult in the KYC covenant paradigm but we only have to look at how prevalent theft and fraud are in the actually-existing KYC banking system to see that “cannot steal” is far too strong a claim. Attackers have many tools at their disposal to steal KYC funds, such as money mules, account takeover, and identity theft, to name just a few. Translating these methods into the KYC covenant context, this is how an attacker could circumvent the KYC restrictions to steal coins (assuming they have already compromised the private key, of course):

  • Money mules: the attacker would hire willing agents to go through the KYC process and receive funds stolen from another account, and quickly cash them out before the theft victim can report the theft and freeze the funds.

  • Account takeover: the attacker would compromise an existing KYC’d account and use it to cash out stolen funds before either the theft victim or the takeover victim realizes what is happening.

  • Identity theft: the attacker would create a KYC account using a stolen identity and use it to cash out stolen funds before either the theft victim or the identity theft victim realizes what is happening.

These methods can also be combined to create “chains” or “fan-out” structures of transfers that make the theft harder to (fully) recover from. Again this is not theoretical, this is already how attackers steal money in the KYC banking system.


Regarding alternatives:

Today we have a few comparable alternatives to point to, one that uses a signing server (AMP) and two that use smart contracts (Railgun and Privacy Pools). AFAIK neither model has been adopted or mandated by any govt, so TBD which model tyrants will end up preferring.

(Notably, trustless implementations of Railgun and Privacy Pools could be built on bitcoin using only OP_CAT, by using OP_CAT to create a trustless bridge to an EVM-compatible rollup and then deploying the open-source Railgun/Privacy Pools smart contracts to that rollup.)