Watch Out! Near Protocol's Issues, Vulnerabilities, and Attack Vectors

By Michael @ CryptoEQ | CryptoEQ | 2 Nov 2022


e7c579334da5fdc994e6bd4b0c5bb7df36d472a365c31e45dcb72ec91fb5fbc6.png

If you want more cryptocurrency analysis, including full-length research reports, trading signals, and social media sentiment analysis, use the code "Publish0x" when subscribing to CryptoEQ.io to make your first month of CryptoEQ just $10! Or simply click the button above!

25adb146adc4093665bbad2ed438cb89d4e653c7852698f974a05c16818064a7.png

NEAR Protocol has significant decentralization vulnerabilities. This is underscored by its initial token distribution (all premined) and its governance model. This problem creates great underlying risk with the NEAR token for public holders and community members should early investors or founders choose to unload tokens.

Centralization Issues

The most troublesome vulnerability of NEAR Protocol is found in its centralization. On paper, NEAR appears to take deliberate steps to promote the decentralization of its ecosystem. This is seen through the steps taken to ensure there’s increased participation in block production and consensus, though falls horribly short of ensuring proper decision-making power is distributed in a decentralized manner.

NEAR Protocol’s privatized token sales, combined with its decision to control over 50% of the tokens internally, has sabotaged its participation model in consensus. Having the One Token: One Vote model for governance is only ever appropriate in terms of decentralization if the tokens themselves are widely distributed, giving anyone in the community a chance to fully participate in the network.

With investors and the founders controlling nearly all of the tokens, this ensured that nearly anyone in the public or community that purchased NEAR in 2020 after the mainnet launch basically served as exit liquidity during the 2022 bear market contraction. In fact, NEAR peaked in January 2022 and has since fallen back to price levels equal to summer 2021.

Additionally, the reference maintainer basically acts as a CEO who reports to the Foundation Board (the entity that elects the maintainer and controls the most tokens) rather than the community as a whole.

 

Validator Concentration

Even after releasing Phase 1, there remain significant barriers to becoming a validator on the NEAR network. This is a crucial part of achieving and expanding the decentralization of the protocol away from the developers and to the community. With only 125 network validators allowed, securing and maintaining a seat is not only difficult but also expensive.

Putting both the limitation of only 125 validators and the costs of running a full validator mode aside, the major centralization found within the initial token launch all but ensures the only validators on the NEAR network are early investors and large token holders. The official statements from the team seem to indicate that they want easier-to-run hardware and lower staking requirements in order to expand the “Chunk-only” validator set to ~300-400. This would be great and a step in the right direction. 

However, as we know, the absolute number of validators is not the whole story. It appears these Chunk-only validators need to apply with NEAR or hook into a SaaS (image below). It’s understandable, given it's brand new and a roll-out, but eventually, you’d like to see this become permissionless.

 

Technical Documentation and Audits

While NEAR protocol has a relatively limited validator set (125), the team has done a good job of providing clear instructions for operating the archive node. This is an important feature if they wish to entice future node runners. However, as stated before, the requirement of ~100,000 NEAR is the primary obstacle in growing the node count.

In general, NEAR provides solid system documentation about node architecture and running the chain’s software. However, one concerning area revolves around test code vs. production code. For every 125 lines of live mainnet production code, there are only ~69 lines of test code in the NEARCORE repository of NEAR. This illustrates that some of the live code was not run through the test.

It is also unclear whether NEAR conducts public audits. While audits have been mentioned in other research reports, we were unable to locate the audits themselves. 

Additionally, NEAR does not mention an official bug bounty. However, Aurora, the L2 atop NEAR, offers a $6 million bug bounty. In fact, in Q2 2022, Aurora paid out $2 million to two hackers for discovering serious flaws. The two $1 million bounties were awarded in AURORA, the platform's native token, and will be distributed linearly over one year. The payouts were coordinated using the ImmuneFi platform for bug bounties. The vulnerability report was released earlier today and was found by security firm Halborn on June 10.

 

Direct Exposure to Three Arrows Capital (3AC)

NEAR Protocol also had significant exposure to the insolvency of major crypto investor Three Arrows Capital (3AC). 3AC Founder Zhu Su announced it was leading a $150 million funding round with NEAR in Q1 2022. 3AC was once a $10 billion fund that, because of market factors (including the Terra Luna collapse), took on heavy losses during 2022 and has since become insolvent.

At the time that 3AC’s $150 million funding round with NEAR Protocol was announced, the NEAR token was worth roughly $20. Since then, NEAR has fallen over 80% YTD.

How do you rate this article?

30


Michael @ CryptoEQ
Michael @ CryptoEQ

I am a Co-Founder and Lead Analyst at CryptoEQ. Gain the market insights you need to grow your cryptocurrency portfolio. Our team's supportive and interactive approach helps you refine your crypto investing and trading strategies.


CryptoEQ
CryptoEQ

Gain the market insights you need to grow your cryptocurrency portfolio. Our team's supportive and interactive approach helps you refine your crypto investing and trading strategies.

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.