[TFIP-3] Accept New Treasury Smart Contracts to Custody ERC20 tokens

Description

Abstract

This proposal revokes a deployer wallet’s DEFAULT_ADMIN_ROLE for these two new contracts:

These two new contracts will grant the DAO ultimate responsibility over its ERC20 funds. After this proposal executes, the current Gnosis Safes would be able transfer DAO-owned ERC20 funds to these Treasury contracts.

Revoking the deployer wallet’s role has two consequences:

  • removes risk of compromise of the single deployer wallet
  • confirms with a positive action that the DAO has control over these two Treasury contracts

Security

As these contracts are going to store all of the TrueFi treasury at some point in the future, it is extremely important to make sure they are bullet proof.

Contract code had been:

  • designed, implemented and deployed by TrueFi Security team
  • formally verified by TrueFi Security team
  • audited by Zellic

Do not trust. Verify. It is your responsibility as a voter to make sure new TrueFi DAO treasury is a safe place for DAOs ERC-20 tokens.

Motivation

DAO ERC20 funds are currently held by two Gnosis Safes:

  • A Protocol Safe that earns protocol fees and can later distribute them
  • An Incentives Safe that distributes TRU rewards to stakers and liquidity providers

While TrueFi places high trust in the current Safe signers, there is currently no mechanism for the DAO to revoke the Safe signers’ privileges in case of disagreement. Formally, these Safes currently act as autonomous owners of the DAO’s ERC20 funds.

Details

The new Protocol Treasury and Incentives Treasury contracts both have transfer() and approve() functions that delegate to the ERC20s held by the contracts. These functions can only be called by addresses with the MANAGER_ROLE, and only when the contract has not been paused by addresses with the PAUSER_ROLE.

The DAO has already been granted DEFAULT_ADMIN_ROLE for these Treasury contracts, so this revokeRole() is the RBAC analogue of the claimOwnership() from the deprecated Claimable design pattern.

After this proposal, the DAO will be the only address that is able to grant and revoke MANAGER_ROLE and PAUSER_ROLE in the Treasury contracts. The MANAGER_ROLE is intended to prevent voter fatigue, since it would be cumbersome for DAO voters to micromanage day-to-day funds transfers. The PAUSER_ROLE is a fast arbiter to prevent a MANAGER_ROLE rugpull if the DAO votes (delayed by a timelock) to revoke an address’s MANAGER_ROLE.

Executable Code

Function 1:

Signature:


revokeRole(DEFAULT_ADMIN_ROLE(), 0x7Dee3c1fE15B6C16622ba2d7f939a2242155654d)

Target:


0x863461596aB57b91B873b26D4F0a701a9703B9Ca

Value:


0

Function 2:

Signature:


revokeRole(DEFAULT_ADMIN_ROLE(), 0x7Dee3c1fE15B6C16622ba2d7f939a2242155654d)

Target:


0xB74c97c64d52f8f746efA72CD83D59cDf75F1a98

Value:


0

3 Likes

There is no voting option Kaimi…?

  • Yes - Implement this proposal
  • No - This proposal has to be reworked

0 voters

1 Like

This proposal has been created on-chain. Voting period begins Wed Dec 7 at ~3am UTC and will run for 72 hours.

2 Likes