| SIP | Title | Author | Status | Track | Created |
|---|---|---|---|---|---|
0047 |
Changing of the Guardians |
John Light (@john-light), Ororo (@ororopickpocket) |
Ready for vote |
Contract |
2022-04-21 |
If approved, this proposal will signal approval for a changing of the Guardians:
- The role of Bitocracy Guardian, which has the power to veto any proposal that is approved by Bitocracy, will be held by a 3-of-7 multisig.
- The role of Contracts Guardian, which has the power to pause or freeze certain functions or entire smart contracts, will be held by a 3-of-10 multisig.
A transaction will also be executed to transfer the staking contract Guardian role from the Exchequer Multisig to the new Contracts Guardian.
The proposed signer sets for the new Guardian multisigs are as follows:
| Guardian | Signer | Rootstock address |
|---|---|---|
| Bitocracy Guardian (3-of-7) | 0x924f5ad34698Fd20c90Fe5D5A8A0abd3b42dc711 |
|
| CEK | 0xcde0339c583e9287de8d38c5647bd60e08d4be21 |
|
| Jamie Madrox | 0x3803b0e615FE3529e957D351F06812cCe5566727 |
|
| devtective | 0xec29d78cec3405065453660eb5e150e1e24fbb84 |
|
| French Victory | 0x448Dcec92EB4186d6A2E86D11C3dD5F0f3B4C50f |
|
| Armando | 0x10380E8E2AfD85E3C30AD5FFa5a0Af1ccbBf6952 |
|
| Betsy Braddock | 0xeb7abd5e72b820e0a330699d99bf5c0df76e794d |
|
| onedigit | 0x29EbE382F522E3CDb5Bb64873E5BC0E21dA1f9d2 |
|
| Contracts Guardian (3-of-10) | 0xDd8e07A57560AdA0A2D84a96c457a5e6DDD488b7 |
|
| Victor Creed | 0x333d33dc1bb6ea2d0c095fc81095eb40d5b62ef1 |
|
| Bruce Banner | 0xf45d7106172c59e9464d3b714b758a9a3e559bd2 |
|
| aZ! | 0xeA7CdAF4a2923c5FD85e50c7C749AF837528d8B3 |
|
| Tyrone Johnson | 0x27ae0fB7C59B75741e4bfEC9F384ED12fB1346B7 |
|
| Ororo Storm | 0x03030769F584978e47bb29e80dDD88CB88493d6b |
|
| Rainer | 0xd24a9c55297995d64b94D2b00e67bF47946569f1 |
|
| cowsant | 0x13Be55487D37FE3C66EE7305e1e9C1ac85de75Ae |
|
| Ingamar Ramirez | 0x061b959D69041fAFC58dE20938Ba707f5c408B47 |
|
| Geoffrey Kapooner | 0x915BbAE90E860fF3248Ee8dFB3cdf9CD3A225D16 |
|
| Betsy Braddock | 0xeb7abd5e72b820e0a330699d99bf5c0df76e794d |
To ensure the effectiveness of these Guardian roles, processes will be put in place by the Guardian members and full-time Sovryn contributors to ensure close coordination and rapid incident response actions and communications.
Additionally, if approved, this proposal will signal approval for the adoption of a new Exchequer Multisig, due to the repurposing of the current Exchequer Multisig as described in the Motivation section below.
| Multisig | Rootstock address |
|---|---|
| Exchequer Multisig (3-of-7) | 0x9737a5387768353D8C86849c63a46F492e7042CB |
0xEAbB83A1CeFc5f50c83BC4252C618D3294152A86 |
|
0x832E1BD30D037d0327F2a0447Ed44fB952a9a043 |
|
0xdFd4Da0e0e656AF349e192B954bAaef0fC1ebA62 |
|
0xfEE171a152c02f336021FB9E79B4fAC2304a9E7e |
|
0x13bE55487D37fE3c66ee7305E1E9c1aC85DE75aE |
|
0xD7d9a7dE795cd55F70Bf1E49b8d51d5D3478097c |
|
0x9e0816a71b53cA67201a5088dF960fE90910de55 |
Currently the Bitocracy and Contracts Guardian roles are both filled by the Exchequer Multisig, using the original Gnosis Multisig contracts. We propose assigning the Contracts Guardian role to a new multisig created using Gnosis Safe. We further propose updating the membership set of the Exchequer Multisig and renaming this multisig the Bitocracy Guardian. Each Guardian multisig will have different signer sets to account for the different responsibilities and skills required of each multisig.
The reason for keeping the existing Gnosis Multisig-based multisig as Bitocracy Guardian is that changing the Bitocracy Guardian would require replacing the Governor contract with a new Governor contract, which in turn will require additional backend and frontend work to preserve the voting history in the Voting app. We decided to forgo these changes for now in favor of a simpler approach that would require much less work.
- The Exchequer Multisig will be renamed to the Bitocracy Guardian Multisig, and its membership updated according to the table above.
- The Contracts Guardian role will be transferred from the Exchequer Multisig to the Contracts Guardian Multisig.
- A new Exchequer Multisig will be created to replace the previous Exchequer Multisig, the latter of which has been repurposed as the Bitocracy Guardian Multisig.
The Bitocracy Guardian will have the role of vetoing any potentially "harmful" proposals that are approved by Bitocracy. For the purposes of this SIP, a "harmful" proposal is one that the Guardian signers determine would have a high likelihood of leading to either a) an unfair loss of funds owned by Sovryn users or stakers, or b) a loss of Treasury funds due to an exploited vulnerability in the staking contract. For illustration purposes, below are some examples of proposals that either would or would not be likely to be considered "harmful".
Examples of "harmful" proposals:
- A proposal that transfers ownership of Sovryn smart contracts to an address that the Guardian signers do not trust.
- A proposal that upgrades a Sovryn contract to contain a backdoor that would allow an attacker to drain user funds.
- A proposal that changes the interest rate curve of the lending pool in such a way that interest rates would immediately increase by >100%.
- A proposal that has been passed because someone exploited a vulnerability in the staking contract that gave them an overwhelmingly large amount of voting power.
- A proposal that makes the voting period and/or time lock period shorter than 24 hours.
- A proposal that adds an illiquid asset as collateral for borrowing.
Examples of proposals that would be controversial but nonetheless not be considered "harmful" for the purposes of this SIP:
- A proposal that sends Treasury funds to a project that no one has ever heard of with founders no one recognizes.
- A proposal that upgrades Sovryn contracts to only allow users with a KYC token to use the protocol.
- A proposal proclaiming that Sovryn should migrate all its smart contracts and liquidity to an altcoin blockchain.
The Contracts Guardian will have the role of either pausing or freezing any Sovryn contract or contract function that can be paused or frozen and is found to have a vulnerability that could be exploited and cause harm to Sovryn users. SOV stakers will have the ability to replace the Contracts Guardian if desired or needed.
The new Exchequer Multisig will continue to serve the same role as the previous Exchequer Multisig, as documented in SIP-0007 and SIP-0015.
DistributedCollective/Sovryn-smart-contracts#514
Guardian signers will fulfill their duties on a BEST EFFORT basis. This means that while they will make their best effort to fulfill their role as described in this SIP, Guardian signers have NO OBLIGATION and Sovryn users should have NO EXPECTATION that Guardian signers will take ANY ACTION WHATSOEVER, AT ANY TIME, UNDER ANY CIRCUMSTANCES. As holders of their own private keys, Sovryn users accept that they themselves, and they alone, are ultimately responsible for the safety and security of their funds.
Copyright and related rights waived via CC0.