Should we temporarily reassign the pDAO guardian to the oDAO?
Support
Oppose
Another opinion; I will make a comment below
0voters
Hi everyone! This idea came up on discord as a way to increase security while we work on developing a more comprehensive pDAO design that the community is comfortable with. (I believe @Valdorff may have originally brought it up?)
I’ll go ahead and just paste the text below since it’s so short.
## Abstract
Currently, the pDAO guardian is held solely by Rocket Pool Pty Ltd. In an effort to increase security, this proposal suggets a temporary reassignment of the pDAO guardianship to a multi-sig controlled by the oDAO members until the pDAO is designed and developed more thoroughly.
## Rationale
This is explicitly proposed as a temporary measure because there is no broad agreement yet on a better design for the pDAO guardian.
The oDAO currently already has the same technical capabilities as the pDAO guardian via contract upgrades, and this will not change regardless of the design the pDAO uses, so it's a logical choice for a temporary guardian.
## Security Considerations
The basic purpose of this proposal is to increase protocol security by increasing the number of signers needed for the pDAO guardian to make transactions.
Oppose. I agree that we need to progress beyond pDAO bootstrap mode but would rather see the guardian passed to a multisig of which the controllers are voted on by RPL holders (I think that @knoshua originally suggested this?). What is the point of the pDAO if it is not moving toward control by RPL holders??
I think we’re quite close to getting this to a pDAO selected multisig. While I understand the desire to shift to something more secure ASAP, I worry that it will result in delaying the desired shift.
My preference is to vote on a multisig. Open to a proposal that establishes oDAO as interim solution, but I would want to clearly establish in the RPIP that it is to be replaced asap by a voted on multisig.
I’m curious where you are getting this information. Latest audit recommends transferring the guardian to a multisig, but I see no evidence that this happened.
I’m curious where you are getting this information.
I thought the team mentioned it at some point, but I can’t find it now.
It would be helpful context for this discussion to know more about the current pDAO guardian setup @langers + @darcius, though I understand if you don’t want to share all the details for security reasons.
Re: the proposal itself, I’d caution everyone not to underestimate how long it’ll take to get a solid pDAO design in place, and this can be overruled with the same process at anytime.
Finally, I also want to ping some other oDAO members since this proposal directly affects them: @superphiz@jcrtp@yorickdowne, would you mind forwarding this to the others? I don’t know their usernames.
At the very least, we need a supermajority of oDAO members to explicitly state that they want this responsibility AND will transfer control as soon as a permanent solution is in place. I lean towards oppose because it adds some complexity and will lessen the urgency for a permanent multisig, but will abstain for now.
We should first outline the responsibilites of the oDAO. For me personally it’s to secure rETH.
It would create weird incentives and increase oDAO’s power if they also controlled pDAO funds.
pDAO funds should be controlled by non-odao members (including the team).
The community pays oDAO through inflation, the same entity (oDAO) should not pay the community back, through grants for example.
Being an interim solution, I don’t think we should involve the entire oDAO with this.
Both because of practical reasons - not all oDAO members seem actively involved with the protocol, and pDAO guardianship can require a quick response time in case of threats.
And, as @Butta said, to have separation of concerns / avoid conflict of interest. Although intended as temporary, even the optics of moving powers from the pDAO to the oDAO should be avoided.
I’d prefer to move pDAO guardian to a team multisig for the time being. We could consider adding a subset of willing oDAO members instead of the entire oDAO - this improves security while also making clear this is not a formal oDAO role, but still a bootstrap mode of operation.
Then, we can separately take the time necessary to create a solid pDAO design.
A team multisig sounds like the way to go. I share Butta’s concerns.
If need be I can be part of a temporary mSig, but the time it can take to remove “temporary” solutions should not be underestimated. Good enough can become the enemy of better.
