OpenZeppelin, in its role as Security Partner to the Compound DAO, reviewed the proposal to use Franchiser contracts to delegate voting power.
Summary
Timeline: From 2024-08-13 To 2024-08-15
Total Issues: 2 (1 resolved)
Notes & Additional Information: 2 (1 resolved)
Scope
OpenZeppelin reviewed pull request #897 of the compound-finance/comet repository at commit a27e954. This pull request will submit a governance proposal to create delegate voting power to specific third parties via the FranchiserFactory
Contract.
In scope was the governance proposal created by the simulated Enact Workflow using the migration files:
.github/workflows/enact-migration.yaml
deployments/mainnet/usdc/migrations/1722358576_launch_franchaisers.ts
System Overview
The Compound Governance Support Working Group (GSWG) aims to delegate voting power to selected accounts using the FranchiserFactory
contract which creates Franchiser
contracts. These contracts are responsible for delegating voting power to third parties, while FranchiserFactory
retains the ability to recall the delegations at any time. The Franchiser contracts have already been audited by OpenZeppelin.
The focus of this review was pull request #897 which includes the deployed dependencies, the official migration governance proposal, and all the security concerns that may arise during the execution of the proposal. Specifically, we checked:
- that the correct contracts were deployed on-chain.
- that the simulation workflow created the same proposal as the deployment workflow.
- that the proposal dependencies were verified as deployed with correct configurations.
- that proposal instructions were decoded and verified as complete.
- that proposal instructions were simulated and executed successfully without errors.
Security Model and Trust Assumptions
Before the proposal to delegate voting power to the specified addresses via Franchiser
contract instances is enacted, it is assumed that there will not be any upgrades or changes to the implementations of the proposal. It is also assumed that any changes to the Comet ecosystem at large (e.g., any other governance proposals) between this audit and this proposal execution should not have any effects. Furthermore, it is assumed that the third parties to which the voting power is delegated are trustworthy and will act in the best interest of the community.
Notes & Additional Information
Pre-Audit Version of FranchiserFactory
Is Being Used
The FranchiserFactory
contract has undergone an audit by OpenZeppelin and the fix for the Maximum Subdelegatees issue has been implemented in commit 101d01d. However, the current implementation of the FranchiserFactory
contract still has the INITIAL_MAXIMUM_SUBDELEGATEES
set to 8 instead of 1.
Consider deploying a new instance of FranchiserFactory
with the correct value for INITIAL_MAXIMUM_SUBDELEGATEES
.
Update: Resolved in commit 205ca67.
Cautionary Limitations for Delegated Voting Tokens
Through delegation, the Franchiser
contract assigns a certain voting power to specific addresses from proposals. Although the timelock can recall the tokens when needed, the process requires a proposal to be submitted and approved, which involves a voting process under normal circumstances. If the recalled tokens accumulate to a level where they could vote against the recall proposal, they could potentially obstruct such actions. However, this risk is mitigated by the fact that the delegatees are generally trusted by the system.
To minimize potential risks, consider keeping the amount of delegated votes through the franchiser below a certain threshold. In addition, the protocol could establish an expiration period for delegations to ensure that the delegatees maintain appropriate behavior during that time.
Update: Acknowledged, not resolved.
Conclusion
After reviewing the migration script, we have verified that the migration script accurately generates the proposal and the simulations confirm that the proposal executes correctly. Given that the addresses mentioned in the proposal are deemed worthy of the voting power assigned to them, the proposal is expected to run correctly, with the timelock retaining the ability to recall those votes via a new proposal. We recommend voters to carefully review the delegated accounts.