Compound Governance Proposal Guardian

Summary

We propose to seek implementation of the community multisig to be used as a guardian for Compound Governance. The goal of this Proposal Guardian is to act as a last defense against any malicious governance votes in the future. Additionally, we propose a few future changes to the Compound Governor contract to be more robust in the future.

Proposal Guardian

The Proposal Guardian would initially consist of the Community Multi-sig (0xbbf3f1421D886E9b2c5D716B5192aC998af2012c), a 4/8 multi-sig composed of trusted Compound DAO community members (here) which has been functioning as the Pause Guardian for the majority of Compound’s existence. This Proposal Guardian role should only be able to veto a proposal that has passed a majority vote and is awaiting execution. We have established this set of rules for when the Proposal Guardian is able to choose to move forward with a veto:

  1. Users’ funds deposited into the protocol might be infringed or at risk by a proposal passing
  2. If a vote has been controlled by a single entity or a proposal will result in a single entity taking effective control of the DAO
  3. When necessary to coordinate pausing protocol functionality during urgent security emergencies to protect the protocol and user funds.
  4. Serious considerations will be made when votes having received at least 400K “NO” votes still pass.

Update: Based on community feedback, the Proposal Guardian role will automatically expire to ensure that the Community Multi-sig cannot use its veto power to remain in-place indefinitely. The initial expiration period will be set to 6 months and require another governance proposal to renew. The additional changes are currently underway and will be ready to share and include in the on-chain proposal and forum post by this Friday.

Technical Implementation

@Arr00 has completed technical work and OpenZeppelin has reviewed the changes to implement the Guardian changes in PR16. It introduces a new proposalGuardian role that can call the cancel function on any proposal and a _setProposalGuardian function to set the role. The PR also includes simulation tests to ensure the changes work as expected on-chain.

Please note that the compound-governance repo being used as the base for this upgrade was previously audited by OpenZeppelin as a new source for Compound governance with dedicated testing and coverage. It also introduces the ability to vote with reason and propose by signature.

Timeline

Given the nature and sensitivity of this proposal, we will be moving forward in an accelerated timeline. The proposal will be discussed on the Community Call this week on Aug 7th and shared privately with all major identified delegates to collect final feedback. The proposal will then be published on the forums and submitted on-chain Friday, Aug 9th so that voting can begin early next week.

Future

A full “Constitution” regarding when to get involved in veto votes will be drafted in the near future. Coupled with a concurrent new delegate race to get more Compound delegated and active in governance to trusted members of the DAO, this should set a new foundation for a more secure and active Compound governance!

Additionally, we propose exploring additional changes to Compound Governance to improve security and coordination in the future:

  • Upgrade Compound Governor Bravo to use OpenZeppelin Governor that has more gas efficiency, security features and optional extensions. There is already a CGP grant by ScopeLift working on delivering this.
  • Late Quorum Voting Period: If last minute votes change the outcome of a vote, additional time will be added on to the voting period to allow for more delegates to review and finalize decisions. A Late Qurum Prevention extension is already available in OpenZeppelin Governor.
  • Adaptable Voting Quorum: Quorum can increase based on the amount of delegated COMP once a proposal shifts from “review → voting”. If not technically feasible to automate on-chain, this could also be achieved by regularly adjusting the quorum threshold based on the current number of delegated COMP.
  • Delegation Rights for COMP Staking Product: Ensure that the Compound Staking Product proposed by the Compound Growth Program preserves delegation rights and helps to further align COMP token holder incentives with responsible governance participation. This is already referenced as a requirement in the recent Staked COMP Design forum post.
3 Likes

As crazy as it sounds I am wondering if there should be a Guardian for the Guardian that can eliminate the Guardian in the first 3 months after launch if a bug occurs/pops up.

Compound Governance Proposal Guardian Audit

OpenZeppelin, in its role as Security Partner to the Compound DAO, audited the changes to include a Proposal Guardian into the Governance contracts proposed by @PGov and developed by @arr00.

Summary:

Aug 7th - Aug 9, 2024

Total Issues: 2 (1 resolved)

Notes & Additional Information: 1 (1 resolved)

Scope

We audited the compound-governance repository at commit e3b36ad with a focus on the differences since our last audit.

After the initial report, we were asked to also audit the updates to the repository at commit 84dff8d, introducing expiration for the proposalGuardian.

In scope were the following files:

contracts
├── GovernorBravoDelegate.sol
└── GovernorBravoInterfaces.sol

System Overview

Compound Governance is the main protocol used by holders and delegates of COMP to govern Compound II and III. It gives them the power to propose, vote, and implement changes to both active Compound protocols. The governance system has control over several systems across the protocol such as each proxy, the Configurator, Comet factory, and Comet.

When a proposal to update any system parameters succeeds, the Timelock will call all of the relevant methods on the Configurator contract. For Compound III this process is followed by invoking the deployAndUpgradeTo method on the CometProxyAdmin contract, which then points to the new implementation upon execution.

In this audit, we focused on the new role of the proposalGuardian and the modifications made to the logic of the cancel function. The holder of this role will be allowed to cancel any proposal as if they were the proposer themselves. Apart from this update, no other no other significant alterations were made to the cancel function that would impact its execution.

In the second part of the audit, our focus remained on the proposalGuardian role, specifically examining the new logic introduced in the _setProposalGuardian function. This modification allows the guardian’s role to have an expiration, enabling a time-limited tenure for this position.

Security Model and Trust Assumptions

The addition of a proposalGuardian with the power to cancel any proposal that has not yet been executed introduces important security considerations and trust assumptions that must be addressed to maintain the integrity of Compound’s governance. To prevent misuse of this veto power and ensure the robustness of the protocol, the proposalGuardian must be a trusted entity without centralized control.

It is assumed that the proposalGuardian will be a reputable and accountable entity managed by a multisig of trusted community members, to distribute veto power and reduce the risk of malicious actions, such as canceling proposals beneficial to Compound, not vetoing dangerous proposals for the protocol, or vetoing proposals to change the proposalGuardian. Ensuring the proposalGuardian is correctly configured during deployment, regularly monitored, and assigned a strict expiration is crucial for maintaining its effectiveness.

Active community engagement and oversight are essential to ensure that the proposalGuardian aligns with the DAO’s goals and acts in the community’s best interests. This engagement allows the community to flag any misuse of power, enabling the DAO to propose replacing the proposalGuardian if necessary. It is worth noting that proposals to transfer the role to another account, while the current role is still active, can be vetoed by the current proposalGuardian.

Low Severity

_setProposalGuardian Should Limit the Expiry

Currently _setProposalGuardian has no restrictions on how long a proposalGuardian can hold their role. If proposalGuardian were to ever be compromised and can hold the role for the next 2 years, they would be able to veto all proposals until those 2 years are up. Although _setProposalGuardian is set by governance and to a trusted multisig, we believe it would be more secure validating the expiry to be within reasonable limits, including that the expiration is in the future.

Consider adding a restriction to _setProposalGuardian that would check that newProposalGuardian.expiration is in the future and within reasonable limits, for example less than or equal to 6 months.

Update: Acknowledged, not resolved. @cylon stated:

This is a reasonable change but given the time sensitivity of getting this upgrade completed, I think its better to proceed without addressing it. The proposal performing this upgrade will be setting the initial timestamp expiry and can be scrutinized by governance to ensure it is no longer than 6 months and is set in the future. This issue can then be addressed in the code itself by the upgrade to OpenZeppelin Governor by the ScopeLift team.

Notes & Additional Information

Incomplete Function Documentation and Comments

The function cancel has been updated to allow cancellation of yet-to-be-executed proposals under the following conditions:

  • the sender is the proposal.proposer
  • the sender is the proposalGuardian
  • the proposal.proposer is not whitelisted and the proposer votes are below the proposalThreshold
  • the proposal.proposer is whitelisted, the proposer votes are below the proposalThreshold and the sender is the whitelistGuardian

However, the function’s notice docstring, as well as the inline comments, are not updated to reflect the introduction of a proposalGuardian.

We recommend the following updates:

  1. notice docstring: Updated the notice docstring to include that the function cancels a proposal if the sender is the proposer or the proposalGuardian.
  2. Line 382 Comment: Updated the comment on line 382 to highlight that the proposalGuardian can cancel any proposal,
  3. Line 389 Comment: Updated the comment on line 389 to explicitly state that only the whitelistGuardian can cancel a proposal by a whitelisted proposer if it falls below the proposal threshold.

Update: Resolved in commit 8340937.

Conclusion

The new addition of the proposal guardian to the Compound Governance contracts is minimally invasive and has been effectively implemented. However, this role carries substantial privileges, notably the ability to cancel proposals, including those that involve transferring the role itself to another account. Caution should be exercised in assigning this role and determining its duration. To bolster the long-term robustness and resilience of the protocol and to safeguard its decentralization, it is crucial to continue exploring more long-term solutions.

3 Likes

I greatly appreciate the work done to put this together, and that the community feedback on expiration was heard and incorporated.

I believe the explicit goal should be to get the DAO to a place where the Veto Guardian is not needed by the time it would be renewed. Note that the presence of a Guardian is likely to suppress community participation, as delegates view voting as lower stakes because “the guardian can always cancel it.”

A few other pieces of scattered feedback:

This is ambiguous and way too “soft” of a criteria. A controversial proposal that passes but also receives 400K “NO” votes should not be canceled. This provision leaves that possibility open. Whether or not a proposal should be canceled using this emergency power ought to be as rigidly defined as possible. I know there are efforts to put this together, but it’s concerning we’re handing over the power before those efforts are complete.

This may sound a bit paranoid but I’m curious if we have any information about what legal jurisdictions the various multisig signers are subject to? Two of them are companies that are (I believe) domiciled in the US and a third works for one. We can’t discount the idea that regulations will change such that signers would be liable for anything they didn’t veto. It would be good if there was jurisdictional diversity on the multisig.

@cylon can I confirm that this update is going to be carried out via a proxy upgrade to the existing Governor?

Hi @bendi - For your awareness and everyone else, the proposal is already up and close to passing with over 1.2M votes in support. I’d like to respond to your concerns here though.

I believe the explicit goal should be to get the DAO to a place where the Veto Guardian is not needed by the time it would be renewed. Note that the presence of a Guardian is likely to suppress community participation, as delegates view voting as lower stakes because “the guardian can always cancel it.”

I agree. This 6 month timeframe should be used to upgrade the Governor contracts with more security features and increase governance participation with Delegate Races. While I wouldn’t rule out extending the Guardian role after 6 months depending on the situation, I do think the goal should be not needing it.

This is ambiguous and way too “soft” of a criteria. A controversial proposal that passes but also receives 400K “NO” votes should not be canceled.

I understand the concern but the idea here is to address cases like Proposal 289 where the community was clearly against the proposal but underhanded tactics were used to pass it at the last minute. Ultimately, the intent of this requirement is to allow at least some discretion to the Proposal Guardian to veto proposals in unforeseen cases where is significant community pushback but it isn’t full exercised in the vote itself.

Historically, only 8 proposals out of 304 have ever received over 400K No votes and 3 of those were from Humpy’s proposals. This means the bar for the veto power to possibly be exercised through discretion is fairly high in practice and unlikely to be used. I think there’s also a case to remove this clause once the OpenZeppelin Governor upgrade is completed with Late Quorum Protection in place, should the Proposal Guardian role be renewed at all.

This may sound a bit paranoid but I’m curious if we have any information about what legal jurisdictions the various multi-sig signers are subject to?

This information is not public for all signers as some prefer to remain pseudo-anonymous but I can confirm that some signers on the multi-sig are located outside the USA.

@cylon can I confirm that this update is going to be carried out via a proxy upgrade to the existing Governor?

Yes, that’s the structure of the proposal being voted on now and should be executed two days after the vote concludes. OpenZeppelin has reviewed the on-chain proposal and confirmed it matches expectations set in the audit.

1 Like

Thanks for the detailed response @cylon.

I believe I’m correct in saying the aforementioned proposal was put directly onchain without following the standard, and required, offchain process first, correct? Failing to follow the proper offchain procedures seems like an easy, objective criteria which should qualify a proposal for being vetoed.

Discretion on behalf of the Proposal Guardian is exactly what I think we ought to avoid, both for principled reasons and for legal reason. I’m not a lawyer, but my understanding that the greater the discretion involved in the role, the greater the risk for liability.