Authors:
Hubert
Summary
Proposed new structure of Safe multisigs for the DAO to maximize security and decentralisation.
Context
Most of Stake DAO’s contracts have a governance address that is still entitled to performing certain defined changes to the contract. In some cases, such changes could theoretically be used in a malicious way to steal user funds (for example, setting withdrawal fees to 100%, etc.).
This creates a security risk for users, as no multisig is ever 100% safe. It also creates a legal uncertainty for the DAO and its multisig signers as the technical possibility to maliciously steal funds from users could be misinterpreted as a form of custody. It is therefore critical to limit these risks, and for that, to find a decentralised solution for the access to Stake DAO contracts.
However, Stake DAO has a significant treasury which is key to its operation. It’s used in an agile manner, voting for Stake DAO pools ensuring the DAO has solid liquidity, and allowing the DAO to accumulate strategic tokens such as CRV, FXS, etc. in a sizable manner, which is critical for the DAO’s operation. This agile management requires reactivity and flexibility.
There are therefore conflicting needs for our governance: security and decentralization for the DAO contracts, reactivity and efficiency for the DAO treasury.
Rationale
The suggested solution is to have the following multisig architecture for all chains:
- Contract owner Safe
- Treasury management Safe
- Emergency DAO
Contract owner Safe
Purpose: owns the governance of Stake DAO contracts.
Assets: only DAO owned SDT.
Owners:
- Emergency DAO (with only the power of blocking transactions and activating kill switches)
- On-chain governance (veSDT vote, technical solution to be discussed)
Signing rule: 1/2
Comment: This is the most important Safe as it holds potentially the possibility to steal funds from users. The idea here is to try to have something which is fully decentralized and make sure nothing can really happen on Stake DAO without approval from the community. An emergency DAO is necessary as on-chain governance bears its own risks (governance attack or mistake could lead to loss of user funds).
Treasury Safe
Purpose: Manage the treasury of the DAO in a way that serves the DAO’s best interest and supports the development of the protocol.
Assets: holds most of the assets of the DAO.
Owners: 5 members plus 3 suppleants (who can replace a member in case of any going on holydays or being ill, etc.) elected via governance votes to form a treasury committee
Signing rule: 3/5
Comment: The idea of this Safe is to support the DAO’s development thanks to a smart use of its cryptos accumulated over time through the use of strategic liquidity provision, liquidity mining, incentivisation of liquidity provision and votes, etc. (which requires a lot of flexibility and reactivity). The challenge is to find a way to keep this flexibility, while limiting the risk (still technically existing) of mis-use of DAO’s assets by signers of the Safe.
Emergency DAO
Purpose: Protect the DAO in case of governance attack or material risk on the contract owner multisig.
Assets: none.
Owners:
- 6 members from the ecosystem and community, elected through a community vote. They could be significant users and counterparties.
Signing rule: [3/6] to be discussed.
Comment: Members outside of the active contributors who are here to protect the DAO from governance attacks and emerging risks (could be notably a very quick action that needs to be taken in case of a hack, for example). It can only activate a kill switch or block a transaction. Need to be present in time zones that enable emergency situations to be dealt with at any time of the day and week.
Transition
Technical solutions for on-chain governance need to be studied and decided upon with the community. Possible solution: oSnap, Zodiac + Governor contract, Tally, etc. A separate proposal will focus on this.
Transition can be fairly smooth, but of course, this needs further confirmation after a decision on the voting solution.
The current multisig (0xF930EBBd05eF8b25B1797b9b2109DDC9B0d43063) would become the “Contract owner Safe”. For this, the following steps would be needed:
- Build the on-chain governance structure (regardless of the solution)
- Deploy the emergency DAO
- Change 2 of the current signers of the Safe for the two above
- Change signature requirements from 4 to 1
- Withdraw the other former signers
The treasury management multisig would be created from scratch and given the corresponding signing structure.
Until the voting structure is decided upon and implemented, the treasury management will stay in the current multisig (0x930), and the elected committee will be set as the owner of this multisig with the target signing structure of the treasury management multisig.
The other Stake DAO safes on side chains would be given the same signing structure and fall under the treasury management umbrella.
All assets from the Contract owner Safe apart from the SDTs in wallet would be sent via a governance proposal to the treasury manager contract.
Means
The implementation of such a proposal will require significant work from contributors.
Depending on the voting infrastructure chosen, developer requirements will vary.
Emergency DAO members need to be identified, as well as treasury managers, and governance votes will need to pass.
A minimum of three governance votes will be required after this one to complete the execution of this proposal.
Immediate next steps if the proposal passes:
- Launch the election of the treasury management multisig signers.
- Launch a proposal detailing the various solutions for on-chain governance to choose the best path for Stake DAO contracts’ ownership.
Proposal specifications:
- Admin: veSDT holders
- Community feedback: 3 days minimum
- Voting Duration: 7 days