pDAO guardian multisig charter

I am opposed to the pDAO taking control ownership of a guardian multisig at this time.
Open to option 3 of the poll.

  • The guardian account should be a multisig with signers set in a way that would improve the bus factor / should have been for some time now
  • pDAO guardian multisig (PGM) benefits in providing a foothold of community involvement (aligned interests) at a high protocol security level while also providing the benefits of multisig
  • The cost incurred would be new coordination costs and exposing the guardian account’s perverse incentives to committee selection process and on going potential of collusion or takeover
  • PGM would be a de facto highest power governing body

Perverse Incentives

Concentrated Benefits and Dispersed Costs

The ability to define the distribution of inflation funds and expend such funds is problematic. This control may be fine for small operations in which benefits and costs are tightly aligned. In this proposed setup there are concentrated benefits (PGM) and dispersed costs (all other direct and indirect Rocket Pool participants ) to malicious actions. A compromised or colluding group has ability, in a short time frame, to misuse power in a way that will set them pretty for life while destroying the protocol. The PGM actors may have incentives to behave in a good manner in one time period but in a collusive manner in another as circumstances change. The disperse costs provide smaller incentives for any individual actor to monitor much less attempt to enforce good behavior by the PGM.

The team does have this ability to misbehave but so far have been checked by themselves, their reputations and by being doxed. They also have a track record of behavior where they could have taken ICO funds and left or misused the guardian account.

Misuse of the guardian account potential payout increases as the protocol, its value, and RPL all increases regardless of which actors have control.

PGM as Governance

New Central Authority

PGM can override community decisions and exert control as the highest executive authority. If the community voted against liquidity incentives a well meaning PGM could override, for the health of the protocol, by distributing funds to themselves to provide liquidity incentives, overriding any calls for PGM member removal and/or holding the protocol hostage.

While this supreme central committee maintains benevolence all will be well. The while statement must be maintained. I see PGM with pDAO dominance as not a simple multisig setup but rather at its core a highest level governing body proposal.

Potential Path Forward

Slow forward
  • Adjust the current proposal to something softer (poll option 3) and qualify as temporary
  • Map out controls of guardian account, identify conflicts and where controls are needed
  • Develop governance and contract changes out of needed controls
  • Develop lower level soft governing bodies such as a grants and bounties
  • Learn from these groups and harden them over time
  • This is neither fast or easy and delays will erode community commitment and involvement

pDAO multisig control is my ideal future state once the guardian account incentives are broken out and mitigated by governance controls. The current proposal has tremendous value in putting a stronger light on the guardian account issue and in providing a solution. However, it puts the cart before the horse with pDAO control and I find myself currently in opposition to the proposal.

With this viewpoint I’m generally against formalizing a charter at this time. Option 3 from the poll with a temporary signifier and proposed charter is a reasonable compromise.


Hmmm… I think you’re actually misreading something. The oDAO is the highest body for almost everything (in the current state, and regardless of where the pDAO guardian is held). They can upgrade the contracts, and even take away all but a tiny sliver of the pDAO guardian’s power. I’m only aware of two things the pDAO guardian can do over the oDAO: prevent oDAO consensus by setting a requirement greater than 100% (this is essentially protocol-destroying), and set the maximum penalty the oDAO can put on a node operator (this power is not oDAO removable).

The oDAO can’t spend funds right now… but they can change the contract to allow themselves to spend funds. They can change the contracts so the pDAO guardian can no longer spend funds. They can change the contracts so the pDAO guardian can’t set oDAO consensus. Etc.

Perverse incentives
The size of the treasury is pretty nice, but not really enough. Even after the recent pump, it’s under $3M. With a 7 of 12, this is a lot of people to corrupt for not that much money. The bigger threat is destroying the protocol to, eg, short something and make money that way. This incentive does exist for the PGM, and it also exists for the oDAO (which can destroy the protocol even more thoroughly, fwiw).

It is my belief that we are safer from perverse incentives with a large PGM than we are with a team-only or oDAO only PGM. If the overlap with the oDAO is sufficient, there is not even a small check on the oDAO. If it’s team-only, we are exposed to a variety of risks that come about from sometimes being physically all in the same place, eg, a wrench attack could be devastating (as could a government subpoena).

PGM as Governance (New Central Authority)
This authority is (A) not a new one and (B) less central than the current form. The pDAO guardian’s powers are not growing or changing in this proposal, they are merely being transferred. The current pDAO guardian is controlled by a single entity, so it’s maximally central - any change will make it less central by definition.

That aside, I don’t believe the PGM has governance powers. They have heavy emergency powers, but the PGM cannot realistically exert strong powers unless it is willing to take down the whole protocol. In your example with liquidity incentives, the oDAO could move to write out the PGM’s ability to spend. Only by preventing the oDAO from taking any actions ever can the PGM prevent that. There is no middle ground, so I don’t think there’s a realistic threat of the PGM doing something like this “for the protocol’s good” (since it would probably kill the protocol).


Yes, I agree I’m missing something here. Does anyone have a good reference of each guardian power and each oDAO power, other than sifting through the contracts? I think this would help add clarity.

Perverse incentives

All options are trade offs. The pDAO layer adds different vectors and incentives. I’m convinced the guardian multisig needs a higher bus factor. I’m not convinced adding the pDAO layer to that multisig is appropriate without the structure behind it to account for the different group incentive. For pDAO 7 signers may not always be the same as 7 entities.

There are ways for the team to mitigate physical risk with existing real world contract and physical structures. Would they? eh… have they yet? State capture over the next year is a possibility but from my perspective less likely than a pDAO multisig signer capture. Both chances are small but real.

I’m not a proponent of oDAO being directly involved with pDAO funds.

PGM as Governance

(a) Agreed it is not new. However what is new is that pDAO incentives are different than devs. The authority needs to be broken down into components and structures that account for that difference.
(b) Agreed it is less central. But with takeover possibility not being addressed I don’t see it as significant win.

It is real power to make changes or execute the direction funds. Since that power is set by people, can be changed and effects others, I see it as governed.

pDAO guardian powers are being transferred from one group to another one with different incentive set. That is the key to me. Whether it is realistic that a PGM would be compromised to exercise such drastic power in the short term is a good critique.

1 Like

This one has been sitting there for a while. Does the team have thoughts? Can we move this to snapshot?