Description
Abstract
This proposal revokes a deployer wallet’s DEFAULT_ADMIN_ROLE for these two new contracts:
These two new contracts will grant the DAO ultimate responsibility over its ERC20 funds. After this proposal executes, the current Gnosis Safes would be able transfer DAO-owned ERC20 funds to these Treasury contracts.
Revoking the deployer wallet’s role has two consequences:
- removes risk of compromise of the single deployer wallet
- confirms with a positive action that the DAO has control over these two Treasury contracts
Security
As these contracts are going to store all of the TrueFi treasury at some point in the future, it is extremely important to make sure they are bullet proof.
Contract code had been:
- designed, implemented and deployed by TrueFi Security team
- formally verified by TrueFi Security team
- audited by Zellic
Do not trust. Verify. It is your responsibility as a voter to make sure new TrueFi DAO treasury is a safe place for DAOs ERC-20 tokens.
Motivation
DAO ERC20 funds are currently held by two Gnosis Safes:
- A Protocol Safe that earns protocol fees and can later distribute them
- An Incentives Safe that distributes TRU rewards to stakers and liquidity providers
While TrueFi places high trust in the current Safe signers, there is currently no mechanism for the DAO to revoke the Safe signers’ privileges in case of disagreement. Formally, these Safes currently act as autonomous owners of the DAO’s ERC20 funds.
Details
The new Protocol Treasury and Incentives Treasury contracts both have transfer() and approve() functions that delegate to the ERC20s held by the contracts. These functions can only be called by addresses with the MANAGER_ROLE, and only when the contract has not been paused by addresses with the PAUSER_ROLE.
The DAO has already been granted DEFAULT_ADMIN_ROLE for these Treasury contracts, so this revokeRole() is the RBAC analogue of the claimOwnership() from the deprecated Claimable design pattern.
After this proposal, the DAO will be the only address that is able to grant and revoke MANAGER_ROLE and PAUSER_ROLE in the Treasury contracts. The MANAGER_ROLE is intended to prevent voter fatigue, since it would be cumbersome for DAO voters to micromanage day-to-day funds transfers. The PAUSER_ROLE is a fast arbiter to prevent a MANAGER_ROLE rugpull if the DAO votes (delayed by a timelock) to revoke an address’s MANAGER_ROLE.
Executable Code
Function 1:
Signature:
revokeRole(DEFAULT_ADMIN_ROLE(), 0x7Dee3c1fE15B6C16622ba2d7f939a2242155654d)
Target:
0x863461596aB57b91B873b26D4F0a701a9703B9Ca
Value:
0
Function 2:
Signature:
revokeRole(DEFAULT_ADMIN_ROLE(), 0x7Dee3c1fE15B6C16622ba2d7f939a2242155654d)
Target:
0xB74c97c64d52f8f746efA72CD83D59cDf75F1a98
Value:
0