pDAO guardian multisig charter

In general, I’m very supportive but feel the specifics can be improved. Thank you Val and everyone else who’s contributed to the discussion on this so far! Here’s my thoughts on what’s been proposed so far.


As is, I would vote against the proposed RPIP-10 extension as a selection mechanism for the pDAO guardian due to security concerns with our current, very nascent government process.

Sybil-resistance is the only answer for fair governance since linear voting brings plutocracy, and even that’s preferable to the gameable vote we have now – which, it could be argued, is not even secure enough for accurate signaling. I say all of this as the author of RPIP-4, of course, so it’s not like I’m against the current process, but I do think we need to be realistic about it’s limitations.

All the legalese about veto powers and when it’s ok to use them will only protect the protocol from good actors, and I’m more worried about bad actors exploiting the process to gain control of the millions in the pDAO budget. I don’t think it’s worth gambling the entire protocol on the hope that we’ll be fine with anonymous multi-sig participants and the current voting process when there are easy, big wins for security upgrades if we’re just a little more patient.

As an example, I also support the pDAO contract changes referred to above (timelocks, parameter limitations, etc). Contract changes require audits, however, and audits take time. Studying governance risks and passing proposals which mitigate the risks with our current system (i.e. improved sybil resistance for voting) will also take time. Doing this right takes time, and rushing is very dangerous since a malicious pDAO guardian can easily and quickly destroy the protocol.

That said, the current situation with the dev team as the pDAO guardian is also risky, as noted by Sigma Prime in their audit for redstone. Therefore, while we develop the pDAO to be more resilient against governance attacks, I prefer to temporarily move the pDAO guardian to the oDAO (i.e. RPIP-14) to increase security while we work on pDAO contract security upgrades and design other mitigations to social attacks.


Re: multi-sig types, I have no preference for a specific size, but to help with this decision, maybe we can consider specific goals like “X-hour response time”.


Also, a suggestion for the future, regardless of how the pDAO guardian ends up, I think we should work towards separating the wallet that receives pDAO inflation from the wallet which can change protocol parameters. For the first, it should be possible to use a splitter contact for automating regular transfers to MCs, which would be safer vs manual transactions, and then the only responsibility for treasury management is the regular signing drills. For the second, we could even institute a completely different multi-sig with even more security precautions.

We should always remember that the ideal state of the protocol is the one where there is no need for governance and everything is automated, so let’s work towards that future whenever possible!

1 Like