Proposal for temporary pDAO guardian reassignment

Should we temporarily reassign the pDAO guardian to the oDAO?

  • Support
  • Oppose
  • Another opinion; I will make a comment below

0 voters

Hi everyone! This idea came up on discord as a way to increase security while we work on developing a more comprehensive pDAO design that the community is comfortable with. (I believe @Valdorff may have originally brought it up?)

I’ll go ahead and just paste the text below since it’s so short.

## Abstract

Currently, the pDAO guardian is held solely by Rocket Pool Pty Ltd. In an effort to increase security, this proposal suggets a temporary reassignment of the pDAO guardianship to a multi-sig controlled by the oDAO members until the pDAO is designed and developed more thoroughly.

## Rationale

This is explicitly proposed as a temporary measure because there is no broad agreement yet on a better design for the pDAO guardian.

The oDAO currently already has the same technical capabilities as the pDAO guardian via contract upgrades, and this will not change regardless of the design the pDAO uses, so it's a logical choice for a temporary guardian.

## Security Considerations

The basic purpose of this proposal is to increase protocol security by increasing the number of signers needed for the pDAO guardian to make transactions.

personally i like the idea, but after the oDAO numbers are increased to a level that the community
is comfortable with

For context:

  • Current pDAO guardian has 2 signers from the dev team (EDIT: maybe wrong? see below)
  • Current oDAO has 14 members, 4 of which are devs

Oppose. I agree that we need to progress beyond pDAO bootstrap mode but would rather see the guardian passed to a multisig of which the controllers are voted on by RPL holders (I think that @knoshua originally suggested this?). What is the point of the pDAO if it is not moving toward control by RPL holders??

1 Like

I think we’re quite close to getting this to a pDAO selected multisig. While I understand the desire to shift to something more secure ASAP, I worry that it will result in delaying the desired shift.

1 Like

My preference is to vote on a multisig. Open to a proposal that establishes oDAO as interim solution, but I would want to clearly establish in the RPIP that it is to be replaced asap by a voted on multisig.

I’m curious where you are getting this information. Latest audit recommends transferring the guardian to a multisig, but I see no evidence that this happened.

I’m curious where you are getting this information.

I thought the team mentioned it at some point, but I can’t find it now.

It would be helpful context for this discussion to know more about the current pDAO guardian setup @langers + @darcius, though I understand if you don’t want to share all the details for security reasons.

Re: the proposal itself, I’d caution everyone not to underestimate how long it’ll take to get a solid pDAO design in place, and this can be overruled with the same process at anytime.

Finally, I also want to ping some other oDAO members since this proposal directly affects them: @superphiz @jcrtp @yorickdowne, would you mind forwarding this to the others? I don’t know their usernames.

RPM-09 seems to strongly imply that guardian is a regular wallet. The resolution speaks about a planned transfer, which would be visible on chain.


Great link, thanks! I highly recommend everyone read RPM-09 as it describes the security issue this proposal seeks to mitigate.

Here it is as an image for those of us who are pdf-phobic:

1 Like

At the very least, we need a supermajority of oDAO members to explicitly state that they want this responsibility AND will transfer control as soon as a permanent solution is in place. I lean towards oppose because it adds some complexity and will lessen the urgency for a permanent multisig, but will abstain for now.


We should first outline the responsibilites of the oDAO. For me personally it’s to secure rETH.
It would create weird incentives and increase oDAO’s power if they also controlled pDAO funds.
pDAO funds should be controlled by non-odao members (including the team).

The community pays oDAO through inflation, the same entity (oDAO) should not pay the community back, through grants for example.


Being an interim solution, I don’t think we should involve the entire oDAO with this.
Both because of practical reasons - not all oDAO members seem actively involved with the protocol, and pDAO guardianship can require a quick response time in case of threats.

And, as @Butta said, to have separation of concerns / avoid conflict of interest. Although intended as temporary, even the optics of moving powers from the pDAO to the oDAO should be avoided.

I’d prefer to move pDAO guardian to a team multisig for the time being. We could consider adding a subset of willing oDAO members instead of the entire oDAO - this improves security while also making clear this is not a formal oDAO role, but still a bootstrap mode of operation.

Then, we can separately take the time necessary to create a solid pDAO design.


I really like this idea, too. A team multi-sig was the original mitigation plan anyway. I’d withdraw this RPIP in that scenario.

1 Like

A team multisig sounds like the way to go. I share Butta’s concerns.

If need be I can be part of a temporary mSig, but the time it can take to remove “temporary” solutions should not be underestimated. Good enough can become the enemy of better.

1 Like

This is absolutely my concern with an oDAO or dev team solution.

1 Like