[GIP-17] Multisig Reshuffle & Pausable Admin

UPDATE 29.08: changed suggestions on rotating in-and-out based on the latest applications.


This proposal is aimed at (1) rotating some multisigs signers and (2) setting up unpause role.

Going through the latest Notion report, you can notice that some singers are basically MIA. That is natural to expect given that multisigs were set up almost a year ago: some people have quit the industry or went offline more. Regardless of the reasons, it’s not efficient and can at some point affect safety in times when asap multisig quorum is required. Current policies are in docs.

You can check this yourself:

Part 1: Rotating Signers

Technical Multisig

See at the bottom of this page how active or inactive a certain signer has been. It becomes logical that signer 0x1D35DFE2c3B9A0D9f200Ee70a62D73da832606CD has to be rotated out.

Currently, multisig is 6/9. I would propose a motion to add two new tech-knowledgeable signers and turn the technical multisig into 6/10. That still keeps the multisig extremely concervative, but improves the response time in critical situations. Volunteering members have so far been:

As such, suggesting to add:

If there are other experienced volunteering DAO members, this list should be updated.

Financial Multisig

The same logic goes for the financial multisig too. It is currently 5/7 but can be upgraded to 5/9 as it would still keep the signer count significantly high yet improve the response time.

Rotating in:

  • 0xf3D476566BCC8E882A3910F1471428522449d89E (myself)
  • 0x6D526f6b4C86FBdc8e359e6bef4Cd6a42aceA2d7 (amantay)

If there are other experienced volunteering DAO members, this list should be updated. The application of bananacrypto seems good too, and I would suggest to add them next time. That is, because financial multisig had so little activity so far - it would be unfair to rotate out inactive members just yet. Once the rotation happens, the other eligible volunteers can step in instead of those rotated out.

Part 2: Unpause Role Separation

As discussed in GIP-16, there are multiple approaches to security both before a protocol goes live (audits pre-deployment of anything new) and post-deployment (bug bounties, bot system, etc). To further increase security, the PAUSE function as having been executed in times when Immunefi bounties were confirmed, allowed the protocol to be paused (or some specific pools / Credit Managers / assets) immediately upon an issue discovery. This role has so far been in the hands of two addresses run by those have the knowledge of the system / have monitoring bots:

  • 0xD5C96E5c1E1C84dFD293473fC195BbE7FC8E4840

  • 0x65b384cecb12527da51d52f15b4140ed7fad7308

Having this PAUSE be under EOA control is not a centralization issue as it doesn’t actually grant any other rights to these members. It only just pauses a system if there is an issue detected.

However, when pausing, unintended consequences - such as untimely liquidations - can occur. In that case, nobody (be it a hacker, a developer, or whoever else) can actually benefit, but it could result in bad debt in the pools in case Credit Accounts’ assets went below HF 1. As such, timely unpauses after resolving an issue are crucial. And, so far, with 6/9 or even 6/10, they still take over half a day, which is not acceptable. But still, it’s a security-sensitive move (to unpause a system) so it can’t be given to an EOA. So Part 2 aims at requesting the DAO’s approval for:

  1. Separate the unpause functions into a new multisig

  2. The new multisig for unpause will be 3/10

  3. Same signers from the updated technical multisig will be here, no changes to the list.

1 Like

Maybe we don’t need to rotate the financial multisig out at all (given there were only a couple of transactions, so past activity doesn’t say much) - and instead just add 2 more members and keep it at 5/9 for now? And after a few weeks, rotate out 1 or 2 inactive members (as there will be enough data by then) to turn it into 5/8. Wdyt?

Agree. But I’d do it in one voting - let’s add criteria to out 1 most inactive wallet at 01.11.2022 (financial multisig)

Re pausable feature: agree to add it now, but later let’s suggest a solution/feature to mitigate risks of bad debt while contracts are paused. @Van0k @mikael wdyt?

All the proposed candidates are chads. You have my support on this proposal.

There’s also my application btw :slight_smile:

Happy to jump in if more multisigners is required in the future

1 Like

@nikitakle & others:

  • what about removing 2 from financial multisig instead of 1
  • and then adding @amantay instead to keep it 5/8 basically?
2 Likes

Yes, I just didn’t notice @amantay application. I hurried a little. Let’s do it, I like this idea.

1 Like

UPDATE 29.08: changed suggestions on rotating in-and-out based on the latest applications.

what about @amantay? Seems he had interest to joining Fin Multisig

PS. I’d prefer to add at least 2 signers - now execution takes ~24h, which seems too long…

All the proposed candidates are chads. You have my support on this proposal.

There’s also my application btw :slight_smile:
Happy to jump in if more multisigners is required in the future!

@amantay Could you send your addy?

1 Like

Here you go ser
0x6D526f6b4C86FBdc8e359e6bef4Cd6a42aceA2d7

Voting is completed. The DAO voted for both parts. :white_check_mark:
https://snapshot.org/#/gearbox.eth/proposal/0xae71a18a91fd9d6bf8a77b7c01e70246f97901280b5758c72b2ca88621a6a989