[Bitocracy 3.0] SIP-0047: Changing of the Guardians

You can find below a link to SIP-0047: Changing of the Guardians:

https://github.com/DistributedCollective/SIPS/blob/main/SIP-0047.md

Happy to answer any questions or take feedback here.

2 Likes

It isn’t clear who or which entities are the individual signers of each multi-sig. Is this intentionally redacted?

It states “We further propose updating the membership set of the Exchequer Multisig and renaming this multisig the Bitocracy Guardian”. So, Exchequer members are the signers for Bitocracy Guardian. But what about for Contracts Guardian, who are the signers on that one and how will those be chosen?

I added a section to the OP above about this

1 Like

Is the 3-9 and 3-12 multisig for a guardian role some kind of standard in Defi protocols?

I understand that the Guardians are an “improvement” over the current Exchequer Multisig but was there a wider discussion around the topic of a Guardian veto? Is there a need for a discussuin around this topic?
As I recall when the staking contract was paused recently some people expressed concern. Naturally I want the protocol to be secure but giving this veto power to 3 people/address “feels” weird.

Are the guardians a permanent feature of the Sovryn protocol or will they be unnecessary at some point?

In the examples of harmful proposals section, how can a proposal transfer ownership or do any such harm before the bitocracy has even voted on it?

In the non-harmful section, perhaps I misunderstood, but would that also mean that IF 3-of-9 people who hold veto get compromised that they CAN implement KYC or any of the other things mentioned against the will of bitocracy?

Is “BEST Effort” the best that Sovryn stakers can expect? Is there an explanation for this concept somewhere that can help me understand this? Because when I read that paragraph it makes me think that these multisig will have the power but no responsibility, you are on your own. Again maybe I misunderstood.

There is no standard for this. But having a multisig with the power to either veto onchain proposals or have the exclusive right to enact them is not uncommon.

The Guardian has been in place since the beginning of the project. There may have been some private discussion among the founders about it but I don’t think it was ever explicitly discussed at length in public and with the wider community. The Guardian has been take as a given.

If you can link to those concerns I’d be interested to document them here. Note that this veto power is already held by three people (Exchequer Multisig is a 3-of-5 multisig).

We originally intended to implement the ability for Bitocracy to override a veto, if the proposal has overwhelming support (supermajority quorum, supermajority support). But given the issues with the Staking contract recently (which could have screwed us over had we implemented this override functionality) we decided to put this off and revisit in 5 months.

Proposals can only be vetoed after they have been approved, during the timelock period before they are executed. I noticed looking at this section that the language could be tightened up, so thanks for drawing my attention to it.

No. Guardian can only veto proposals, not push them through.

You read that correctly. It basically means that the Guardian signers shouldn’t be expected to catch every malicious proposal. They are only human, and the complexities of life could get in the way of them fulfilling their role.

Read the blog post on Sovryn.com for the Bitocarcy 3.0 overview:
Timeline for launching Bitocracy 3.0 | Sovryn

1 Like

do you think we can remove those admin keys in the future?
how many signers are US-based?
It seems to me it will be pretty easy for US agencies to force three persons into pausing any contracts.
why not 6-12 multisig?

Will Contract Guardian’s signers be the same as Bitocracy Guardian? if yes, what is the point of this SIP?

No, as SIP-0047 says:

Each Guardian multisig will have different signer sets to account for the different responsibilities and skills required of each multisig.

BTW since your comment, the SIP has been finalized with the proposed signers’ names and addresses. Which brings me to…

how many signers are US-based?
It seems to me it will be pretty easy for US agencies to force three persons into pausing any contracts.

I won’t dox anyone’s location, so I can only say that multisig members have been selected for jurisdictional and geographic diversity to minimize risk of meatspace disputes and natural disasters. Additionally, Bitocracy can directly replace the Guardian multisigs, and in some cases directly override a pause/freeze. So personally I feel at ease about this.

why not 6-12 multisig?

need to balance low overhead with high security. if too many signers are needed, but not online when needed to sign, the “security” of more signatures actually becomes a vulnerability by slowing down the response time. 3 felt like a reasonable balance given what is at stake.

do you think we can remove those admin keys in the future?

Per SIP-0046 Bitocracy will have the power to do this if it wants to.

2 Likes

I looked into the new ContractsGuardian(0xDd8e07A57560AdA0A2D84a96c457a5e6DDD488b7) based on the #514 pull request.

the safe was configured with following owners
[
“0xb250bbd75ff50ca9a1f61a62c9909af1ae62058d”,
“0xf45d7106172c59e9464d3b714b758a9a3e559bd2”,
“0xea7cdaf4a2923c5fd85e50c7c749af837528d8b3”,
“0x27ae0fb7c59b75741e4bfec9f384ed12fb1346b7”,
“0x03030769f584978e47bb29e80ddd88cb88493d6b”,
“0xd24a9c55297995d64b94d2b00e67bf47946569f1”,
“0x13be55487d37fe3c66ee7305e1e9c1ac85de75ae”,
“0x061b959d69041fafc58de20938ba707f5c408b47”,
“0x915bbae90e860ff3248ee8dfb3cdf9cd3a225d16”,
“0x20817ccc5b55047a20a66e8bb838021a4c970191”
]
the difference is 0xb250bbd75ff50ca9a1f61a62c9909af1ae62058d when comparing with the SIP-47 on the github. So Victor Creed address (0x333d33dc1bb6ea2d0c095fc81095eb40d5b62ef1) is not on the list.

I also noticed that BitocracyGuardian(0x924f5Ad34698fD20C90fe5d5a8A0ABD3b42dC711) has different set of owners. I guess you guys will update it after SIP get approved.

Will signers sign a message to prove account ownership and publish it to twitter or github?

1 Like

there was some last minute housekeeping on the contracts guardian multisig, all addresses onchain should match the SIP

yes, until then, the current Exchequer Multisig signers will remain until after the SIP, then the old signers will rotate out and new signers will rotate in. As it says in the SIP:

We further propose updating the membership set of the Exchequer Multisig and renaming this multisig the Bitocracy Guardian… The reason for keeping the existing Gnosis Multisig-based multisig as Bitocracy Guardian is that changing the Bitocracy Guardian would require replacing the Governor contract with a new Governor contract, which in turn will require additional backend and frontend work to preserve the voting history in the Voting app. We decided to forgo these changes for now in favor of a simpler approach that would require much less work… The Exchequer Multisig will be renamed to the Bitocracy Guardian Multisig, and its membership updated according to the table above… A new Exchequer Multisig will be created to replace the previous Exchequer Multisig, the latter of which has been repurposed as the Bitocracy Guardian Multisig.