This proposal revokes a deployer wallet’s
DEFAULT_ADMIN_ROLE for these two new contracts:
These two new contracts will grant the DAO ultimate responsibility over its ERC20 funds. After this proposal executes, the current Gnosis Safes would be able transfer DAO-owned ERC20 funds to these Treasury contracts.
Revoking the deployer wallet’s role has two consequences:
- removes risk of compromise of the single deployer wallet
- confirms with a positive action that the DAO has control over these two Treasury contracts
As these contracts are going to store all of the TrueFi treasury at some point in the future, it is extremely important to make sure they are bullet proof.
Contract code had been:
- designed, implemented and deployed by TrueFi Security team
- formally verified by TrueFi Security team
- audited by Zellic
Do not trust. Verify. It is your responsibility as a voter to make sure new TrueFi DAO treasury is a safe place for DAOs ERC-20 tokens.
DAO ERC20 funds are currently held by two Gnosis Safes:
- A Protocol Safe that earns protocol fees and can later distribute them
- An Incentives Safe that distributes TRU rewards to stakers and liquidity providers
While TrueFi places high trust in the current Safe signers, there is currently no mechanism for the DAO to revoke the Safe signers’ privileges in case of disagreement. Formally, these Safes currently act as autonomous owners of the DAO’s ERC20 funds.
The new Protocol Treasury and Incentives Treasury contracts both have
approve() functions that delegate to the ERC20s held by the contracts. These functions can only be called by addresses with the
MANAGER_ROLE, and only when the contract has not been paused by addresses with the
The DAO has already been granted
DEFAULT_ADMIN_ROLE for these Treasury contracts, so this
revokeRole() is the RBAC analogue of the
claimOwnership() from the deprecated
Claimable design pattern.
After this proposal, the DAO will be the only address that is able to grant and revoke
PAUSER_ROLE in the Treasury contracts. The
MANAGER_ROLE is intended to prevent voter fatigue, since it would be cumbersome for DAO voters to micromanage day-to-day funds transfers. The
PAUSER_ROLE is a fast arbiter to prevent a
MANAGER_ROLE rugpull if the DAO votes (delayed by a timelock) to revoke an address’s