Brain dump for ways to increase governance behavior

Foreword

However, I personally don’t feel like the governance structures at Rocket Pool are yet strong enough to support on-chain governance. i think we have some rather low hanging fruit to try and optimize first as a DAO.

This was the conclusion of the post I had drafted when the team asked for input on on-chain voting. I never finished the post, and Houston was already heading towards audits, so it’s been sitting in my drafts for a long time. But I think the major points still stand.

The Problem
The security of pDAO on-chain governance (therefor the protocol) is linearly related to the number and sublinearly related to size of initialized honest voters. However, our actual turnout stays near 20% even accounting for a large level of delegated RPL stake. Due to the exponentially rising cost of attack as honest voter strength rises (due to both shallow liquidity and direct operative costs), we can increase our security by 2x or 4x by just improving voter turnout.

While it has been argued that Rocket Pool already has high turnout relative to most, or even all, other protocols, we are uniquely situated in several ways that lead me to believe we can target a higher participation rate:

  1. Each NO has a minimum of 20k USD (and rising!!) invested in the success of the protocol, and at risk in the event of malicious governance. There is no permissionless protocol that I know of (several elite NFT governance structures non-withstanding) that has such a high barrier, and thus such a strong financial incentive for stakeholders to be involved in governance.
  2. Due to the square root vote power structure, each NO has a much higher relative vote strength than any other protocol, which defeats the “my vote doesn’t matter” argument. For instance, 100 NOs with 100 RPL match the vote of a whale with 1M RPL. In LDO, 10,000 NOs would be needed to match that whale.
  3. The results of RP on-chain governance are much more meaningful for voting that other protocols; parameters are to be directly changed without interpretation or initiation by the Team. While the security council has the ability to interrupt some things, ultimately a malicious pDAO can thwart an honest security council.
  4. The community is much more engaged than other protocols irrespective of points 1-3.

Possible solutions:
So how can we increase voting behavior and thus security of on-chain governance? Here are what I think are some reasonably low hanging fruits. I believe all of them are possible and helpful, but it’s not necessary or even reasonable to enact them all.

I’d like the community’s thoughts on high value and straightforward solutions to improving NO voting behavior, either a few of those listed here or fresh ideas.

1) Increase the number of NOs voting:

a) longer voting periods for non-urgent votes Almost none of our snapshot votes benefited from having a voting timeframe of less than a month, yet we usually choose the minimum length; this will be somewhat exacerbated by the two-step voting of on-chain voting, further cutting into the time that a voter can vote. Preferentially make voting a month, unless there is a overwhelming public benefit in a shorter timeframe.
b) regularize and synchronize voting: for instance, we specify voting always ENDS on the same day, like the day after reward period when NOs are most tuned in. Even the most tuned in have probably come close to missing votes (like when there are two concurrently and a third overlapping vote gets added). For folks not on discord daily, I think it can be confusing.
c) allow NOs <10% to vote: ENACTED.
d) Allow NOs >150% bonded ETH to vote The exact same arguments hold as with the <10% contingent: these are the same voters that we allowed to vote before the price rose, and the ability to vote should not be based on price. Additionally (and this is a huge additionally) you can likely drastically simplify the delegation system for on-chain voting if you don’t need the RPL price oracle.
e) Pay voters Voting (or delegating to a high fidelity voter) is critical for the security of the protocol (almost as much as oDAO duties with on-chain voting), but it is time consuming and effectively provides zero benefit to the individual who does it. With on-chain voting, it will cost real money. It is essentially an act of charity, and anywhere else in crypto this would be seen as a bad incentive structure. At the very very least reimburse gas costs to voters so it doesn’t take both time AND money for no personal benefit. When we start charging to vote, it will definitely skew voting towards those who think they can personally financially benefit by affecting the outcome of voting.

2) Increase the amount and quality of delegation:

a) Payment of delegates, even small payments- increase competition and more engagement with the electorate, as it becomes a “job” to provide and receive good feedback and ultimately help others’ votes count.
b) prevention of the “super-delegate” problem: where a few delegates continue to accumulate vote power until they constitute a majority of vote power. This seems to be correcting itself generally (although problems are apparent with vote splitting in MC elections), but always could be improved.
Options to limit this include:
i: somewhat reverse popularity order for listing of delegates to default to less popular choices
ii: a mechanism that refers NOs to the delegates that voted with the greatest similarity to the NO (ie, asks NOs how they would rule on past votes and links delegates with similar records)
iii: some quadratic approach to delegated votes (eg, above 2% of total vote, the effective vote share falls off slowly, encouraging NOs to seek other delegates)
iv: a public delegate pool [eg, if i delegate to valdorff, 90% goes to him, the remaining 10% gets distributed evenly amongst all delegates, either linearly or according to vote power]
v: have a scoreboard for delegates (for example, including frequency of votes, and how early in the delegation period they vote)

c) Have hierarchy delegation choices (eg, i delegate to my own hot wallet; if i don’t vote dazerdog is my delegate; If he/she doesn’t vote, valdorff is my delegate; if he gets hit by a bus, joe is my delegate and so on). This will be a problem with the current implementation plan- but perhaps a better system would be (delegate1 + delegate2) instead of (node + delegate1) so people can use a more accessible wallet to countermand their delegate. [NB, this was before all the particulars were rolled out, so I’m not sure how this would work currently]
d) make delegation required in smartnode upon node initiation/megapool switch, etc This would make governance a duty expected of NOs
e) require NOs to periodically evaluate their delegation: For example, a hard stop upon certain smartnode upgrades that says something like “you are delegating to haloooloolo.eth, who has 7% of voting power; do you want keep this delegation y/n?”.

3) Improve RPIP mechanisms:

a) Improve the mechanism of draft RPIPs- there need to be more people involved early in the de facto decision making to indicate any true decentralization; by the time a draft is created most of the critical decisions have already been made. This is a big topic, and probably not one amenable to a quick fix.
b) Make RPIPs shorter and simpler; much of the fluff/explanations can be left out or linked for context- those are usually based on current conditions and may not make sense in 6 months or 6 years. Shorter, simpler RPIPs are easier to edit and more simple to addend. In MOST cases, make RPIP text in simple English, because specific implementations may change until the protocol ossifies; putting complex technical specs in the RPIP drastically increases the trust that MOST voters need to put in just a handful of technical interpreters.
c) Increased number of editors, and use of auditors to ensure contract upgrades are not affecting past RPIPs
d) Try to make NOs votes somewhat less public: The secret ballot is so so so important to meatspace democracy. While I think a true secret ballot will be overly complex in this regard, there can be some ground rules for our community about respecting the votes of others. To me, this means not publicizing the votes of individual doxxed members, not pinging NOs to ask them to vote different. Snapshot is terrible in this regard, as it forces you to see which vote is winning before voting, and also shows a preview of the top wallets, so early large vote signalers are often the first and last thing a NO will see, giving undue influence. In meatspace, its rare to get >90% of people to agree on anything, but the Web3 most common vote in web3 is ~99% to ~1% partially because of this influencer problem IN THE VOTING BOOTH.
e) Parliamentarian management committee: Consider a new elected committee that is tasked to deal impartially with interpretation and process for RPIPs. Currently, interpretation and process choices are decided by the people writing the RPIPs, which both introduces conscious/unconscious bias and puts a huge burden on the writers of the RPIP to try to be fair.
e) Increase the number of actual decisions made by the pDAO voting structure, rather than decided by a few people. This includes minimizing omnibus votes (votes with many parts that are yes/no together). By the time they get to a vote, RPIPs are largely a yes/no and most votes carry overwhelming majorities, often having many distinct and relatively unconnected aspects rolled together. People will be more invested when you are polling them on actual substantive questions (see nETH/pETH debate) and when their vote matters.

4) Increase security of the governance process:

a) specific research/project/grant regarding detecting and neutralizing sybil actions: we’ve spilled a lot of ink about it; it probably makes sense to have some formalized deep dive.
b) different vote threshold requirements for different levels of risk as the protocol ossifies: For instance, certain parameter changes or removal of security council members (those intended to be rarely used but pose a risk of attack) could require a higher quorum; major protocol changes could have an even higher necessary threshold than routine signaling by the DAO; very low risk (signaling or MC elections) could be done on snapshot or other L2 trusted option. We are still using snapshot, but haven’t well defined which signaling votes rise to the level of on-chain voting. This requires RPIP-4 to be re-approached.
c) Detect and respond to soft Layer 0 attacks: competitors just need some intelligence and persistence to subtly shift policy through a weak governance system or fomenting discord within the pDAO. This is probably the least expensive and potentially most effective attack vector (ie paying someone 60k USD a year to troll Discord or introduce subtly self-destructive protocol changes).
d) Penalize the vote power of penalized node operators: If you stole MEV, you shouldn’t be voting.
e) Introduce some simple anti-sybil actions: For example, increase in vote power based on longevity of node or number of previous votes; or choose some anti-sybil processes [gitcoin passport etc] to weight votes). Megapools will help to discourage sybil processes, but this remains the most likely route of malicious governance attack.
f) consider ditching the quorum idea all together, and instead enact a minimum winning vote level A quorum means that the optimal choice for voters whose preferred outcome is clearly losing is to boycott and hope the poll does not meet quorum. This both perverts democracy (voting for your choice makes it more likely that the choice you dislike gets enacted), and skews the results to appear more lopside than they are.

4 Likes

So… I’m certainly one of the people pointing out that RP governance is awesome in the context of the space and a big asset. Essentially, I don’t agree there is a problem. Instead, I think our governance is one of our biggest assets. That said – I think we can and should do our utmost, so I mostly agree with your general direction.

Context on 3.

It is not the case that RP on-chain votes are “much more meaningful for voting than other protocols”. I took quick peeks at a few protocols with on-chain voting (Lido, Aave, Maker, Uniswap) that are bigger than us. Lido, Aave, Uniswap essentially have plenary powers over the future of their protocol states and every adjustable parameter.

On to the suggestions:

  • 1a: I don’t support this. Things are very slow as is, and I believe having votes drag on longer will decrease the perceived importance (standard human failing to conflate urgency with importance) and also increase voter fatigue.

  • 1b: Back n forth on this. I like it for votes with no specific urgency. At the same time, it seems like we might be weaker in cases of urgency or governance attack if there’s a vague expectation that folks don’t need to vote until X date, but it might not be true. I think I lean against.

  • 1d: I don’t agree that this is the same as the <10% grouping. While yes, it’s possible to have gone up from 100% to 200% and now you don’t get as much vote power as you would without the rule, you do get to vote (which was not temporarily not the case below 10%). Further, removing this makes sock puppets more powerful. The optimum play for vote power given a specific bankroll becomes not participating in the protocol at all (no validators and no bond; or 1 if that’s required). I don’t particularly have a dog in the fight on the number, but infinite seems inappropriate. Since I’m mostly concerned with the extreme case and not the specific details, it’s quite likely we can come up with something else that works without the oracle/price dependency (eg a maximum vote power per validator).

  • 1e: I like gas reimbursements. I don’t like paying much for voting b/c there’s no way to differentiate between a thoughtful time-consuming vote and a vote with zero reading – if we only incentivize the vote, we should expect a large quantity of voting, but no particular quality. If going this route, I would suggest setting a delegate that votes should get full credit, as that makes it easier to delegate than put in thoughtless votes.

  • 2a: No real opinion

  • 2b: i seems reasonable in some form, ii sounds like a significant bit of work for the person choosing a delegate, iii is challenging because it means that delegators (seeking to be less active) have to remain active in supervising things, iv makes little sense to me – essentially it only helps governance if the average delegate is better than the delegate the person is selecting in which case why bother allowing selection, v is a good idea and I would somehow try to capture vote changes in there too.

  • 2d: you can force someone to pick, but not to think about their pick. We already have too much of a “name recognition” effect and I think this would make it worse

  • 2e: I like something like this. One possibility is a soft version of this where your delegated vote power slowly bleeds away if you haven’t refreshed it in a year or something.

  • 3a: heh… sure I’d love this – the more the merrier. Not quite sure what that looks like. One item I’ve tossed around a few times is a replica snapshot space for straw polls. This would at least allow the hyperactive ppl to more easily get sentiment to guide them when drafting.

  • 3b: you have two parts here, which I’ll try to address separately

    • less fluff: we can remove the non-technical sections, sure. I think they’re clearly titled enough that one can read or skip as they wish though.
    • swap from spec to simple english: I’m strongly against. Even trying to do speclike language, we routinely run into issues where intent isn’t clear. We somewhat often run into important versions of it, where the reads result in different eventual user interactions. Yes, the number of people that are technical enough to read the spec well is low – BUT, it’s a lot higher than the number of people implementing it (which is who you’re trusting if you write it in simple english with the ambiguity that entails)
  • 3c: would love more editors – wanna be one? We have few editors, and even within the group it often takes some cat herding to get action. The auditor thing sounds quite significant.

  • 3d: I’m very torn. I agree there are huge benefits to secret voting. At the same time, it’s critical that people be able to overrule their delegates. I not only want my delegators to see my vote, I also want them to be able to read my thinking and I try to post that for every vote. I do absolutely hate that snapshot sorts options by current vote count – absurd.

  • 3e: I’m not sure what you mean here, but I think this might be RPIP editors and langers? They’re the ones that can reject RPIPs/votes for being misformatted or not following process or whatever.

  • 3f (typoed as a second 3e): Agree this is better when things are actually unconnected. By this I mean that it makes sense to vote in a package for a drivetrain, and not to have separate votes for tires, wheels, axle, drive shaft and engine – especially if many combinations make little sense. But I 100% agree that we don’t also need to include paint color in the same vote.

    • In practice, I find this pretty hard to actually do. There are 6 sub-RPIPs under RPIP-49, but they definitely are too enmeshed to all be separate. Maybe RPIP-60 is separate enough… but it’s more important due to RPIP-47, which enables Saturn 1 to come out before Pectra with the knowledge that we’ll be able to later add the RPIP-44 forced exits to validators started in that timeframe.
    • I do think we should have a stronger bias towards splitting things out, such as RPIP-60. Essentially, the bar should be high to show things are “too interdependent”.
  • 4a: Not sure what this means. I believe good sock puppets cannot be detected, essentially by definition.

  • 4b: Not against it per se, but complexity is a real cost. I agree RPIP-4 should essentially be replaced by something considering both on and offchain voting.

  • 4c: I’m not sure what this means in practice. Who is doing the policing? If the premise is a persistent and intelligent attacker steering subtly, how in the world are we supposed to differentiate that from a real contributor?

    • Sidenote: I have heard at least 4 people accused of purposely damaging the protocol (including myself). So yeah… feels a little “who watches the watchmen?”
  • 4d: Agree

  • 4e:

    • Age is interesting to me, as long as it didn’t feel too shitty for newcomers. But… I’m struggling to see it move the needle much. Eg, we could say “you start at half vote power and it ramps up across the first 6 months” – this harms speedy attacks from someone totally outside the set to a moderate degree. Something, but not huge imo.
    • It’s not clear to me that something like gitcoin passport does more good than harm. There are guides on how to farm gitcoin passports most efficiently, so I’m sure a farmer willing to spend $20-50 can be more “real” than I am (to the point where some airdrops have filtered out passports with high scores… so now the guides tell you optimal ranges to aim for too).
  • 4f: Yes, a minimum vote in favor is better. I don’t think snapshot has such an option. Obviously on-chain is custom and could, though it would need changes ofc.

1 Like