Side-chain bot activity discussion

I am trying to take the high road but if it continues the 2nd and 3rd time could take place with frightening speed. I am a believer in second chances.

1. I actually posted this in Discord that perhaps the community needed to set aside a treasury to retain legal services to enforce TOS (independent of Rally leadership, since it is a community TOS and would need to be community-controlled enforcement). Otherwise the TOS is an empty document that lacks teeth, and lack of enforcement of one rule encourages people to break all of them. One of the primary legitimate reasons given in Discord for not being able to enforce the TOS is who enforces them, so I believe this is the central question as to which mechanism will be used to enforce TOS in general. Delphi could also be consulted on broader solutions for addressing bad actors and behavior through infrastructure mechanics and safeguards.

2. 2FA I think is the better solution as Captcha will just lower quality of life while neither eliminating bots nor enhancing security. 2FA is also ideal like I said because these are financial assets at end of the day and anyone who complains about having additional security on their assets is probably a bad actor and doesn’t really have a strong logical counter-argument.

3. Creator Council is a good place to start, while the community if it wished created a specific team based on a vote of who they would want to compromise the team that oversaw complaints, suspicious activity, fraud, etc. Call it an “Enforcement Team” which could or could not be the same team as Creator Council. I think it should be a separate team long-term as CC will just get overwhelmed as this will add a whole new layer of work to an already busy team.

4. We agree on three strikes, this allows for use cases and special circumstances that are not abuse and also allows recourse for honest action, mistakes, or even let’s say emergency actions to liquidate and such. It would only be repeat offenders impacted which provides flexibility for the real world.

5. Action could be taken based on verifiable activity, even if 1 Creator, ie let us say someone buying through an API BEFORE the launch time because API is easily verifiable it should not take more than one case to trigger action/warning. This goes for any type of bad actor activity which is able to be clearly documented which falls into the said basket. This threshold would diminish as more Creators provided evidence and broader the evidence, but something blatant shouldn’t need more than one Creator to address.

CAPTCHA is actually better than 2FA; CAPTCHA at least requires new models be trained every time Google upgrades their CAPTCHA every few years. 2FA can be handled easily with pre-built APIs specifically built to make it easier. Neither will slow down a bot at all from a technology standpoint; it’ll just add extra steps to legitimate users.

Are you saying there is no metric or datapoint which can be used to indentify a bot from a human?

Even without using either, people who are violating TOS should be addressed. 2FA isnt about stopping bots altogether as much as enhancing security PLUS also impacting bots and increasing the resources needed to use one.

Outside of that, if a bot is indentified how should it be addressed? What is your honest opinion as a developer as to the best solution the make the bot experience as least efficient as possible?

Having bot detection and enforcement would address the issues while a firm long term solution was created.

Type of service that could address our issue: https://datadome.co/

Fair launch will be available and recommended for all Creators and all TBCs.

Thanks, Kevin! Great to learn this and absolutely essential! This will totally solve this problem when made available. Look forward to seeing more on this!

I’d like to wait a bit longer for more input from the community on this thread. Any of these measures may prove surprisingly effective or perhaps ineffective at preventing some front-running bots on the creator coin listings - but at a minimum we can feel confident that we are doing even a single thing to prevent this activity while we work to provide fair launch access to all.

I’d suggest we put it to a “temperature check” vote, and see if the community wants to test any of the proposed measures. Can follow up with a community ambassador towards end of the week if the remaining comments are mostly towards exploring this further.

Is the core team already using some kind of advanced monitoring system? This would be interesting to know. There are a lot of tools out there that do anomaly detection on traffic for example Datadog or Prometheus. Also a interesting approach would be to reward people that find technical exploits and report them.

There are multiple arguments in this thread; I will attempt to respond to them separately:

Practical Responses:

1. CAPTCHA: In 2004 NIST advised people to use passwords with capitalization, special characters, and numbers. In 2004 this was good advice. In 2017, NIST advised that this was no longer the case; no one listened, because “everyone knew” that password should have capitalization, special characters, and numbers. The problem is that this advice is very easy for a computer to solve, and very taxing to a human. Likewise, CAPTCHA was invented in 1997; it was great at the time because it was very easy for a human (usually) and very taxing to a computer. The problem is humans have stayed the same, but computers have gotten WAY better; CAPTCHAs are now trivial for computers to solve, and have become more difficult for humans. I have two points here: 1) just because something is an industry standard practice doesn’t mean it is still viable (this is an argument against unstated premises in this discussion), and 2) sure it only takes a few minutes to set up CAPTCHA, but it also only takes a few minutes to set up a CAPTCHA solution (just import the right library and add a few lines of code); however it’ll irritate the hell out of legitimate users.

2. 2FA: 2FA for logging in makes perfect sense; it makes it significantly more difficult for a third party to pretend to be either of the first two parties. It has no place in this discussion though, as the bots are not doing that. Putting 2FA on transactions is essentially going to be like “hey bot, I see you’re making this transaction, are you cool with that?” and the bot will respond “yep”. Again, all it will do is annoy legitimate users.

3. Third Party Anti-Bot software: I’ve seen several of these, and all the ones I’ve come across so far have been akin to snake-oil salesmen. The problem is that to the host servers, everyone appears to be a bot. Bots, for the most part, have become good enough that software is rarely capable of telling them apart. And the interesting thing is that the only way to make bot detection better (GAN AI) also makes the bots better. The only thing I’ve found to be effective at stopping bots is for some kind of AI detection to flag any behavior it thinks is an anomoly (which is going to be probably 80% real people and 20% actual bots (though it will miss plenty of other bots)), and then have each one reviewed by people. And I don’t think this will work for much longer (though I’m talking years so it might be worth while in the short term).

Philosophical Responses:

4. I’m not sure what the actual problem we’re trying to fix is here. If bots bought the coin and held the coin indefinitely, no one would care. So it seems to me that the problem is not actually the bots, but the fact that they are able to buy before the fans. But are they? So far as I can tell, transactions are processed first in first out; if you know the time a coin is going to launch, you theoretically could buy it BEFORE a bot. Bots aren’t talking with creators about when their coin is going to launch; they find out after a ping to the coin list. These pings aren’t instantaneous nor are they being constantly repeated (the server would crash if so). So there is time, there, where humans will know that a coin has been launched and bots won’t. For instance, either the first or second BTX purchase was 20,000 RLY and everyone was pissed because they thought it might be a bot. But I know for a fact it was a person, because the person told me it was them, and I double checked their wallet because I thought they were boasting.

5. I don’t think bots are the enemy. That’s essentially the point of APIs; so that bots can handle all of the grunt work while humans do all of the thinking. If anything, I think there should be more bots and more access for bots. Imagine a situation where someone created a system that notified all users that a new coin had just launched, and allowed you to pre-setup and set-aside a set amount of RLY to invest in any new coins, and auto-bought it for you. That is equally as fair of a system as no bots. So if the problem is that “it is not fair”, it becomes clear that if the problem can be solved by removing bots or by adding bots, then bots are not the root of the issue.

6. If the problem is not fundamentally bots, but rather this is actually just a reframing of the old complaint that a bunch of users buying the coin at launch and then selling as fast as flow control allows looks bad, then yes. I agree. It looks bad. But as I’ve mentioned in several places, I think it’s an inconvenience and has already been mostly solved. So I won’t rehash those same arguments here.

7. If the problem is that TOS is not being enforced, then that is a valid issue and I would be fine with opening a new topic about that, but that seems to be a pretty ancillary concern to most arguments here; it seems like an excuse to ban the bots rather than the actual root issue.

8. Finally, if the problem is “people are using the platform to enrich themselves instead of enrich the creators”, then I don’t especially care. All people are people; you’re going to have a tough time convincing me that one subset should be allowed to profit while another subset is not.

I appreciate the time you took to put your thoughts together here. However, the hearsay you provide about one person, one launch, one time is simply inadequate to inform this discussion. And furthermore, the point is that folks aren’t supposed to know when a coin launches, but bots provide this for a subset of users.
You don’t see a problem, you don’t like the solutions others have proposed. Please how can we work together towards a better network?

How many of the same accounts are buying in the first minute of coin listings, what is their place in line, and for how many listings, and are these the same accounts that are automating their selling? Do you see ample evidence of bots or other violations of ToS. @DaddyFatSax

@ira Can we freeze bot accounts where ample evidence exists? What are the downsides to taking action and how should weigh those against the cost of inaction here?

I think the answers to these questions are essential to a productive discussion on this issue. I want to take action to protect new creators. I want to test ways to protect the integrity of launches. Howe can we get the Core Rally more dev support to evaluate the problem and propose solutions if that’s what’s needed?

The problem is straight up front-running of coin listings. Bots are enabling individuals to front-run coin listings. 70 purchases (through RLY converts) in the first 2 minutes of an unannounced coin listing is the evidence I would put forward that bots are enabling this to some extent. Automated selling is further evidence that bots are being employed in some capacity.
It seems self-evident that some folks are using technology in a capacity that is not readily available to others in order to game the system. Let’s do something about it.

Fair launch goes directly after the root issue of front-running coin listings - that’s why everyone who is interested in the health of the network wants it. That’s why it is such good news that it will be made available to all creators.

In the interim, should we sit on our hands and wish new creators good luck? Should we try some measures to level the launch playing field? I’m still strongly for trying something here by targeting that which is enabling the root problem - the bots. Suspending bot accounts from trading for 1 month or two months for violating TOS. Trying captcha, since some developers in the community think it is helpful and others disagree. I don’t care so much what we do, just that we do something. It’s exhausting here debating, when a simple snapshot could help us move this discussion past the nay-saying and towards some action.

This raises another problem. Our ability to govern this community is still heavily gated through the core team since we cannot put forward even a simple temperature check without them.

I would propose we further empower the creator council to take the community discussions and put them forward to snapshot votes for “temperature checks” at a minimum. Otherwise, we’ll sit here and put forward our flimsy evidence and guesswork, while third parties come in and further muddy the waters with ridiculous, unrelated assertions around reward manipulation by Core Rally.

Frankly, I haven’t seen a single good reason not to freeze accounts employing bots blatantly in violation of the terms of service. I don’t care if they start new accounts. Doing nothing is the absolute worst course of action to me. Please, make it harder for those exploiting the system. Lock up all their rally for 3 months, and for anyone else that uses bots. That’s a strong disincentive and goes some some way to buying time towards fair launch.

The question presupposes that I see a problem. i.e. “How can we work together to fix something that isn’t broken?” is nonsensical. That said, I only had practical concerns about the CAPTCHA and 2FA (specifically being implemented during transaction processes). I think they are a waste of time. But it is not my time being wasted, so I’m cool with having them implemented if everyone else wants it badly enough. It would probably buy a week or two of time while the bot developers notice the failure, implement the fix, and publish the results. I know there is a lot of creators who have been approved and haven’t launched, so if we launched a ton at once during this window it should be relatively bot free. Of course, it could also appear bot-free due to predator satiation; not sure how you’d tell the difference. Or if the difference matters.

I still don’t see why everyone seems to take issue with the “release the coin, wait 2-4 weeks and then announce the coin” solution. That pragmatically solves any of the actual issues with a coin launch. Bots/whales/whatever-we’ve-chosen-to-call-them-in-this-new-version-of-an-old-outrage do not hurt the creator unless the creator’s community is joining at the peak of the spike. If we prevent them from joining at the peak, then what the coin does in the first few minutes should be irrelevant.

As for the stuff about snapshots and governance, that should probably be it’s own forum thread; it will just muddy the discussion here. But my thoughts on that matter are that anyone who holds RLY should be able to do a snapshot proposal. And it should cost some small amount of RLY to do so (spam prevention). And that there should be a minimum threshold of RLY for a vote to pass. It seems pretty suspect to me that virtually every proposal has passed. It could be the case that by the time a proposal is making it to snapshot that it’s already been so well discussed that no one votes no. Or it could be the case that no one’s voting except for the people who care about that particular proposal (in which case silence shouldn’t count as consent).

Yep, it kind of is a bad thing.

Here’s what it looks like when a human does it.

BEE1328×881 120 KB

I would say this is a problem with the non-flat tax rate. Not a bot issue.

As a more practical solution to bots, they could just lower the rate limit. We’d just need someone to look at the data and figure out a reasonable number, and then a way for legitimate bots (e.g. developer accounts that are doing transactions involving multiple users) to get permission to exceed that number.

I think the tax rate is laughable at the higher coin levels. I tested it with one I had a bunch of and it wanted a huge percentage of the value of a low end value coin. I believe it was about 40% of the amount I would receive and I would also lose money selling it before that even was considered. LOL

The developers claim they don’t want people investing in these yet that is what the creators and anyone that buys in early does. Without them your coin is worthless. Who will actually buy many of these coins outside of the closest friends and family of many of the coins? I know if I asked my friends and family to buy in, they alone would surpass the lowest supported coins without even trying, so imagine if those “investing” didn’t buy anything.

Right now I see a busted system and the way it is being repaired is by punching holes in the busted system creating a less appealing system for anyone that would hold larger quantities on this platform.

Just my two cents but I did like the general concept of bitcoin as explained in 2008. Too bad I cannot find where I had mine from when I moved last in 2010. LOL

Bots are the least of the issue at hand when one can make multiple accounts to trade with, like flow-control right now, CAPTCHA is just another bandaid with bad adhesive. WHY IS THERE NO IDENTITY VERIFICATION TO CREATE ACCOUNTS. Ridiculous, learn from your peers and history.

1&2: While I agree with some of your points about 2FA & Captcha (I don’t think they should be used to address automated behavior at all). I still think 2FA on converts out from CC to Rally is not a bad thing. Increased security on monetary transactions out of a said economy isn’t a bad thing.

3: A comprehensive solution is needed to address bots, It is not just down to an application but a dedicated solution and team that addresses the issue. I disagree that there is no credible solution or way to counter or address bot activity and that all possible solutions are “snake oil salesman”. It’s more if bot activity is going to be allowed or not, which due to it being posted in the TOS it is not that is a moot point and pointless to rehash that argument. The solution I posted actually works similar to what you said would work in the short term to address the issue while a longer-term solution to deal with behavior, enforcement, and mechanics was developed. Earlier you said that basically nothing could be done. Also enacting the proposed solution would also improve Quality of Life across the board providing additional protection and security against things like DDoS, Server Overload, and Penetration/Vulnerability Scanning. Protecting against a vast array of bots among other things. All of which are value adds for a platform like ours. You also offered another solution with throttling, but it can not rely on one metric or system that can be circumvented by mirroring or matching.

4: The problem that people are trying to fix is that people are violating the terms of service to have an unfair advantage and reap a financial gain. Bots just happen to be the low-hanging fruit to use as an example of bad actors who are violating the rules for whatever reason and not being penalized. Turning a blind eye to violations of the TOS is a slippery slope and will encourage more bad behavior across the board. Using an argument that if a bot bought and held forever there wouldn’t be an issue, seems like a poor argument. If the bots didn’t front run and buy in 1st place and break the rules and TOS we wouldn’t have a problem either. Both are just as valid an argument, except one has the backing of the TOS, rules, law, and community and one does not. That is the core issue. We also aren’t talking anecdotal examples but easily verifiable, repeated, and unethical actions.

5: Bots are the enemy if the TOS says they are. So we as a community need to 1st decide if bots are allowed, and if they are under what conditions. As it stands bots are against the TOS so they are definitely an “enemy”. Also the example you used would be available to everyone on platform right as part of using platform and wouldn’t require the skills, expertise, or resources for building a bot to exploit? So I don’t see how that holds water. Bots are either allowed or they are not. Its not about whether removing or adding them solves anything. Its about whether they are allowed or not. Also that system doesn’t exist as described in your example so we don’t have a system that resembles what you positioned in your post, not even close. Basically a circular argument and chicken and egg problem.

6: The problem is fundamentally bots if the TOS says they are against the rules, and if certain repeated parties are enriching themselves financially by breaking the rules at least for sake of this particular thread. They are just one example of violations of the TOS that need to be enforced. As you posted this also looks bad from on overall PR, community, and platform aspect for all of us. Having a rule that you don’t enforce, which is also a sore spot of launches and is readily apparent to everyone on the platform is a problem that needs to be fixed. As I posted in the discussion in Discord, what I have seen is actually a mix of three separate issues 1. Bots, 2. Fair Launch, 3. TOS Violations & Enforcement. These need to be divided into separate solutions and threads because they relate but not are the same discussion. I also see people basically using “whale” and bot interchangeably when they are not the same thing.

7: An excuse to ban bots? They are in violation of the TOS, no excuse is needed to ban them or people profiting off them. The root issue is violations of TOS, regardless of if it is botting, or anything else that violates terms of service. Banning something against TOS isn’t a “bad” thing. It’s enforcing something you say is the rules to begin with.

8: Valid point. I don’t think anyone here is arguing for one to profit versus another or people have missed the point. Literally, it’s about bots and them being against TOS and having unfair advantages over human beings due to the way the platform is designed, it has nothing to do with positioning or profit. That is just a symptom of the problem. I would be just as against any violation of TOS this just happens to be the one that I think has one of the most negative impacts in the current ecosystem.

Grand needs to be commended here, for showing leadership. He basically hit every nail on the head from the community, network, and creator side. As it stands minutes of front-running by the same individuals in a mad dash using automated and generally inaccessible means are causing weeks to a month long of financial damage at a minimum.

I stand behind Grand’s approach to do something about it. There are more than a few options that we have available:

1. KYC for new all new accounts (submission allows access to allow instant access for new fans if verified to have duplicate account both accounts are suspended unless combined)
2. 2FA for converts to $RLY from respective Creator Coin
3. Minimum 30 Day Suspension for Violation of TOS
4. Ability to vote on rally.io with $RLY, this would increase engagement across the community
5. Gating Creator Launch day buys with them airdropping Genesis coins from their wallet
6. Fair Launch Solution
7. Comprehensive DDoS, Bot, and Penetration/Vulnerability Scanning Protection Services

Being myself under attack from these frontrunners and bots, it’s really disheartening to hear community members state such things as “wait 2-4 weeks to use your economy because of minutes of front running”. You don’t see why people take issue? It’s because what is happening is not ethical, unfair, and bad for the community at large.

The indifference by some in the community who are supposed to care about the community is striking. To say that all of this front running, reward interference, financial damage, and reputation damage that just the Creators themselves suffer from the way the launches are perceived by anyone watching is nothing and just par for the course is beyond me. I can for sure tell you as a Creator that these actions by automated means have long-standing impact and damage to communities and their perception of Rally, outside of them joining at a peak. My community is basically locked out of even using the platform for weeks now due to having to wait for some frontrunners to unload their spoils right in front of us. It’s kind of sickening.

How do you prevent them from joining at peak when according to you bots and order in which people buy seems to not even matter. The position that this has no impact on an economy based on just the initial minutes is just wrong factually and in reality. Rewards, momentum, money, and time are all lost due to these actions. All because nothing is being done about something that’s supposed to be against the rules.

Risky take, my dude. There’s a difference between violating the letter of the law vs violating the spirit of the law. The “they are bots, bots violate the TOS, therefore they should be banned” argument also implies that sending coin via Twitch bots or sending coin via Discord bots or using bots to collect historical data (all of which violate the “access, or collect data” portion of the TOS) are disallowed. Your primary belief may or may not be “all and any TOS violators should be banned”. But I think the TOS portion is ancillary for most other people. I think that they believe that bots are the cause of the perceived problem, and so are using TOS as an excuse to ban them. I think that they would no longer be interested in banning them if the bots were buying the coin and promising to hold it for a year.

As for “the indifference by some in the community”…firstly that’s emotional manipulation and has no place in a logical argument. Secondly, if anyone here was indifferent, they wouldn’t be arguing. Presenting an argument takes time and energy. Why would anyone spend either if they were indifferent?

Any tools that are outside of TOS should be banned, or the TOS should be modified to reflect their acceptance. Are you implying that the problem is all “perception”? TOS as an excuse? Holding for a year? Did you literally not read what I typed?

1. Bots are a real problem, due to violations of TOS, front running, network degredation, financial damage, interference with fair market forces, and automated access that is disrupting and causing damage across the platform in several ways. How long they hold is not relevant at all. You make quite a few assumptions and statements that are demonstrably false.

2. Indifference by the community has an impact as well. The flippant and dismissive way that some in the community act about flagrant violations is appalling. This is real people’s money and lives being impacted and it deserves more than a casual and dismissive attitude. Just because someone is posting doesn’t mean they are presenting an argument that actually took time, forethought, and adds anything as far as providing a solution other than just let them have their way.

You selective scan through what someone posts and the real meat and solutions you ignore, if anything you defend bots being able to do these types of things and think we should just get out their way because nothing we do or anyone else can do will stop them. It a hopeless, helpless attitude and part of the reason this problem has developed to this level because apparently it cant be decided if something is against the rules or not.

I agree with mrq02 - bots aren’t the problem. There are lots of problems, like the way we launch coins and how creator tax is calculated. Neither of those are caused by bots. Selling through flow controls with a bot isn’t harming anyone, it’s not like they are circumventing the flow controls.

FWIW bots exist in all crypto markets. If Uniswap, pancakeswap, binance, and coinbase decide to ban bots then maybe I would get on board. No other marketplace bans bots, neither should Rally.

This thread is now roughly addressed here: Addressing Bots and Multi Accounting Concerns

Please continue the discussion there. (Apologies for the split/duplicate threads. I’ll lock this one to avoid confusion.)