SIP-0042: Staking Security Update
Good morning, afternoon and evening fellow Sovryns. With this post, I introduce SIP-0042: Staking Security Update. This SIP does what it says on the tin, it improves the security of the Staking contract. You can read the SIP on the main Sovryn GitHub, or read the full text in this post below.
I would like to welcome every Sovryn Individual, especially SOV Stakers, to review this proposal and give feedback (for, against, or otherwise) in this forum thread. Given the nature of this proposal and its security-focused outcome, I would encourage this go to vote sooner rather than later, but not until there is a strong consensus toward that action. So please, read and provide any and all feedback below!
If approved, this proposal will:
- Replace the current staking contract with a new staking contract, with the only changes being targeted fixes of the issues described below.
- Add the Exchequer Multisig as a pauser to the Staking contract, with the ability to set the contract on pause or freeze in case of emergency.
Improve security of the Staking contract
While going through our smart contracts to verify all their owners and their privileges, we noticed something missing from our most important contract Staking.sol. It is the heart and soul of our governance part of the protocol and we currently have no means to pause it in case of an emergency or unlikely breach. It means that we may find ourselves in a position where we notice a hack or maybe even could prevent that hack but we would not have the means to stop the exploits.
This is why we are introducing a Pause functionality.
It might seem counterintuitive at first, since we want Staking to be unstoppable, obviously, but there is a distinction to make between long term and short term safety, and a tradeoff to make between security and immutability.
By adding a pause function controlled by a multisig, we will have a way to mitigate circumstances that may cause a loss to the protocol or its stakers, whether they are caused by a bug in our protocol or by a new ecosystem element (think about when flashloans first appeared in DeFi).
Bitocracy governance will retain full control of the pauser address to ensure that even if the multisig owners collude for or are coerced into abusing their power to pause the Staking contract, governance can override it by switching the pauser rights to another address. The same safeguard applies in the case the multisig is unable to unpause the contract, which could theoretically happen, excluding voluntary collusion, such as too many signers being kept away from their keys, e.g. by being taken into custody, or hospitalized in a pandemic or war scenario.
The proposed solution includes logical steps to make these rare events of pausing less restrictive and less inconvenient to our users. In many cases, we can still allow users to unstake during the pause, while we lock the rest of the contract until we prepare and deploy a fix. This is how the Pause functionality is designed, so that we do not lock users’ funds into the system for the duration of the pause.
To cover the cases where the detected bug could be exploited through unstaking, we also included a Freeze functionality in the implementation for this SIP, which locks the contract up completely, including unstaking.
- Existing Staking Logic contract: 0x4BaBb34189a9CDa8213D24DD3984058Fb8A955D2
- The new Staking Logic contract: ``
- Proposed changes: DistributedCollective/Sovryn-smart-contracts#423