[TFIP-6] Assign CANCELLER role for TrueFi Governance - **modified**

Proposal below is an iteration over the previous one, the main modification being the change of the multisig address that is going to become CANCELLER.

New Multisig Address: 0x8c8FcA3812c4272756120E207D3ED496A73Bc528

We have learned that the multisig that I pointed to within the previous proposal already has a lot of other “TrueCurrencies” (e.g. TUSD) related responsibilities.

We 100% want to avoid mixing these two. And we would not be able to re-configure who the signers are for 0x16cEa306506c387713C70b9C1205fd5aC997E78E(right now it is mostly AB folks).

So built a new mutlisig that will be 2 coming from Archblock ecosystem, 2 persons connected to Wallfacer, and 2 long-time community members.

Multisig threshold is 3/6.

Abstract

To protect the DAO from potential governance attacks, we propose assigning the CANCELLER role to the multisig 0x8c8FcA3812c4272756120E207D3ED496A73Bc528.

Following security measures have been undertaken:

  • All signers are using hardware wallets
  • Members are geographically dispersed
  • There is a stringent procedure in place for reviewing all transactions, which includes performing reviews and simulations before execution.

Multisig Settings

Multisig threshold is 3/6.

Signers

  • 2 persons coming from Archblock ecosystem
  • 2 persons connected to Wallfacer
  • 2 long-time community members.

Background

After last week’s Tornado Cash governance attack 2 it seems increasingly important to protect the DAO from a similar scenario. To safeguard TrueFi DAO we propose setting the CANCELLER address in our Governor to 0x8c8FcA3812c4272756120E207D3ED496A73Bc528. The CANCELLER role is already implemented in our Governance as a result of TrueFi using OpenZeppeling’s governance contracts, but it has not previously been set.

What CANCELLER can do:

  • In case there is a proposal that is faulty or adversarial - canceller can execute a transaction that would render the proposal ineffective.

What CANCELLER can’t do:

  • Canceller can NOT make any decisions or execute any transactions on behalf of the DAO. Its only power is to CANCEL proposals.

There is precedent for something like this at major protocols like Curve that have their Emergency DAO (https://dao.curve.fi/emergencymembers) in the case of malicious behavior.

Risks:

It is worth noting that there are certain scenarios where CANCELLER could actually collude with a black hat hacker to extract value from protocols by delaying “rescue proposals”. As a result, CANCELLER should be treated as a temporary measure until there is more value in the protocol and/or a better solution is found.

Transaction details

We need to call Timelock’s (“0x4f4AC7a7032A14243aEbDa98Ee04a5D7Fe293d07”) grantRole(role, account) function with args: grantRole(“0xfd643c72710c63c0180259aba6b2d05451e3591a24e58b62239378085726f783”, “0x8c8FcA3812c4272756120E207D3ED496A73Bc528”)

5 Likes

This forum post proposal is scheduled to turn into an on-chain vote early next week.

2 Likes

Thanks for this post @kaimi - I agree this is important for security, and that having members from multiple different organizations, as well as individual community members in the TrueFi ecosystem, is important for decentralization.

3 Likes

Proposal to Assign Canceller role to TrueFi DAO Governance has been posted on-chain, voting starts in 2 days

4 Likes

Voting is live.

1 Like