KYC for Contributions: Balancing Accessibility and Security

KYC for Contributions: Balancing Accessibility and Security :computer::balance_scale:

The recent “Contributions Without KYC” proposal on Terraport (Proposal 12059) has ignited a complex debate within our community. The proposal suggests allowing code contributions from individuals or teams without completing Know Your Customer (KYC) processes, as long as a KYC-verified party reviews the code and transfers responsibility.

Arguments for the Proposal

  • Lowering Barriers to Entry: Supporters argue that this system would encourage wider participation, especially for small contributions and volunteer developers. KYC can be a hurdle for minor bug fixes or improvements. :muscle:
  • Community Support: Many community members have offered to cover the cost of KYC for volunteer developers, indicating strong support for increased contribution. :clap:
  • Streamlining Process: The proposal aims to address a genuine need to speed up and facilitate contributions to the Terra network. :rocket:

Arguments for “Voting No Until Clearance”

  • Security Concerns: One primary concern is security. KYC helps combat bad actors and malicious code. :warning:
  • Liability and Review: It’s unclear how enforceable the liability transfer to the KYC party would be in practice. Questions surround ensuring a rigorous review process for any contributed code. :face_with_monocle:
  • Potential for Loopholes: Some argue that this framework risks exploitation, offering a way for bad actors to circumvent KYC regulations. :unlock:

The Importance of “Clearance”

Voting “no until clearance” indicates a thoughtful approach. Before supporting the proposal, concerned community members would like answers to these pressing questions:

  • Security Protocols: How would secure, verifiable transfer of liability to the KYC party be implemented? What would prevent bad actors from slipping in under the umbrella of KYC-verified entities? :lock:
  • Review Thoroughness: What specific quality controls are in place for thorough code review by the KYC party? How can reviewers be objectively held accountable for code quality they oversee? :eyes:


1 Like

Personally, I am against all KYC for any contributors to begin with, anyone who wants to code for LUNC can and should without any privacy invasion or harasment!

Crypto code of ethics is about Permissionless and Trustless system with open-source process that guards against all the presumed malign acts!

KYC for developers does nothing but develops a false sense of security!! It’s not a worthy trade off for the sacrifice of liberty - it’s against what crypto came into existence for and it defies all its promises.

A better alternative is to Audit any Code to be used and implemented - regardless whoever developed it, here is the answer to the security woes if it is security we are after!!!

"I hear your strong stance on privacy and the importance of permissionless work in crypto. This is a fundamental principle of the space. However, the harsh reality with projects like Terra Classic is that we’re also rebuilding something tarnished by bad actors. Striking a balance between fostering contributions while minimizing security risks is critical for sustainable future growth.

Alternatives and Safeguards

Instead of an all-or-nothing KYC approach, could we explore options that mitigate risk but don’t fully compromise contributor anonymity? Examples might be:

  • Reputation Systems: Could verified developers vouch for new contributors without full KYC exposure?
  • Code Escrow: Holding contributed code in escrow until review, releasing it (and a potential contribution bounty) only after approval from multiple trusted parties.
  • Gradual Trust: Small contributions at first with low access privileges. Trust is built with proven quality over time.

It’s About Collaborative Solutions

Absolutely, code audits are essential, but might not be enough in a post-collapse situation like ours. It’s in all our interests to find workable compromises. Let’s shift the focus towards brainstorming practical solutions that keep contributions open while also addressing genuine security needs the community has."

Key Points of This Response

  • Empathy: Validates the commenter’s core concerns about KYC and crypto’s original philosophy.
  • Acknowledgement of Challenges: Highlights the unique challenge of rebuilding a project after damaging losses.
  • Focus on the Big Picture: Frames the goal as fostering long-term project health rather than just pushing one side or the other.
  • Inviting Collaboration: Opens the door for the commenter and others to join forces in finding better solutions.
1 Like

Firstly let us confirm that we are not talking about the teams approach to security for developers working on Terraport or influencing decisions on Terraport.
This proposal is purely for the L1 TerraClassic block chain where there are additional risk mitigation processes in place such as peer review, and validator approval.