Introducing veto.ensdao.eth

nick.eth · April 12, 2024, 2:50pm

Anyone who closely watches Agora or Tally will have noticed a new ‘delegate’ shooting to the top of the delegate list, veto.ensdao.eth, presently holding over 3.8M delegated tokens. Please don’t be alarmed - this isn’t a governance attack, in fact it’s quite the reverse.

@avsa recently disclosed to a small group of delegates the existence and practicality of highly concerning governance attacks that could be used to target DAOs including the ENS DAO. Given the viability of these attacks and the urgency with which they need to be addressed, I’ve devised a simple contract that makes it possible for a small group of trusted DAO participants to exercise a large number of “no” votes to veto proposals that risk the integrity of the ENS DAO. To put some weight behind this, ENS Labs has delegated all of its ENS tokens - most of which are being held on behalf of Labs staff - to this account.

This contract only permits individuals who have been granted permission to use it, it only allows them to vote “no”, and before exercising this power, individuals must agree to a pledge to only use this power to veto proposals that constitute a governance attack on the DAO, or would violate the ENS constitution. The full text of the pledge can be found here: https://ens.mypinata.cloud/ipfs/QmbCNmTtMgjVXsqirZRy8tZbq3zh92g1g6PE3V4QGpNJ1b

Besides myself, I have extended invitations to @Griff, @lefterisjp, @AvsA and @katherine.eth, these being the 5 accounts with the most delegated tokens who have voted on all 5 of the most recent 5 onchain proposals. I am open to suggestions for other trusted individuals who should have their hand on this critical lever.

This is only the first step in protecting the DAO against governance attacks. Further ideas would require DAO action - in the short term, approving an official ‘vetoer’ role that can veto independent of vote count, and in the long term, improving delegation rates and token distribution to the point where these kinds of attacks are no longer economically viable.

danch.quixote · April 12, 2024, 3:12pm

An excellent mechanism, reinforced by the fact that the “vetoers” are long-time and active members of the community. However, if I were a «governance attacker» and had a lot of $ENS, then I would vote at the last minute of the voting period on executable proposals, knowing that the veto mechanism has some sort of consensus that requires people to participate, and hoping for that they will not have time to react.

This is a crazy situation that requires the catch to be unnoticed before I vote, but nevertheless, if I have 2m $ENS (~40m USD) to overcome the 1.9m votes against and make the proposal approved, then I’ll probably find a way to make sure the vetoers don’t suspect anything.

It’s also worth mentioning that having mechanisms to prevent veto abuse is a good practice. Whatever the level of trust in persons having such a right, situations may be different.

alextnetto.eth · April 12, 2024, 9:06pm

That’s a great approach to solve this urgently. I’m happy to see this deployed after the research.

Decentralization in the DAO is essential, but steps like this are crucial in situations that can put the DAO itself at risk.

Thanks for acting quickly, @nick.eth! With this, governance is much more safe. I am looking forward to the next moves to secure the DAO even more until we find an excellent plan to distribute governance and raise the delegated cap.

lefterisjp · April 13, 2024, 8:09am

This is a very big responsibility and one that hopefully won’t need to ever be used.
I have signed the pledge and accepted the vetoer role: https://etherscan.io/tx/0x6cf772ca379adacb7ca0da023b9cafdb82611f2e32340117012c916272e97e08

accessor.eth · April 14, 2024, 1:10pm

Has there been any consideration for protections against the removal of delegation from veto.ens.eth. Also, in the event that one or more of the ( i will call them veto gate-operators) suddenly is unable to act on this responsibility ever again, is there a fallback system where a proxy gate-operator can fill in? like x/# (of operators) can vote to remove another operator but it has to be unanimous excluding the gate-operator that can not perform the role if it were to ever happen. i.e, 4/5 people vote to remove the other 1/5 and include a new gate-operator.

Griff · April 16, 2024, 9:09am

Happy to serve ENS, I also hope we never need to do anything, and the fact that this is here makes that even more likely. It is a deterrent for sure.

Signed the message:
https://etherscan.io/verifySig/40597

Enabled Veto Powers for my griff.eth address:
https://etherscan.io/tx/0x92d18002e8a10fe511407bef900142792f60f8ec0385ec0d8ca6aeb7f6fcab25

katherine.eth · April 16, 2024, 5:11pm

Thank you all for the trust and happy to serve. Signed and accepted.

https://etherscan.io/tx/0xebc102c67bd746ca5743f0356e284d5be35d17861d360d7a84df92a4134dc411

CaneyFork.eth · April 22, 2024, 6:01pm

This sounds like a good initiative as long as protections are put in place to ensure that the veto delegate cannot be used for malicious reasons. Its now a big honey pot and would be the most direct way to take over ENS governance if it the 3.8M delegate tokens could be used for something besides veto.

SpikeWatanabe.eth · May 1, 2024, 12:00pm

Hey all, not intended as criticism per se, just thinking out loud.

I perfectly well understand why we need this measure, and I’m aware that there were some bad precedents around, where people didn’t bother to introduce something like VETO.

However, not so long ago we had THIS →

https://twitter.com/nicksdjohnson/status/1735667398051557640?s=46&t=LwCr4wiogQddIoSD4YZTeg

for years there was a multisig governing the system

it was almost a celebration, considered to be a major step forward

and now we have VETO

Isn’t it like a step backwards, to good old multisig governing the system?

I appreciate that mechanism is different, and intent is obviously different, but looking at this from “Birds eye view”, feels like same thing

Again I’m not saying that VETO mechanism is bad in its current form, we probably do need something like this

My thinking is that maybe, just maybe it is possible to introduce some more elegant design which doesn’t bring us back good old multisig governing the system

Alas, I don’t have specific ideas what it could be

So again, not a criticism, just sharing my thoughts

estmcmxci · May 2, 2024, 7:05pm

These are all good points you are making. This is why I believe it is important to encourage further research on how to properly deal with and derisk centralization levers such as the veto contract.

I personally believe that all signers will act in good faith, but there’s a saying that goes something like this: “You either die a hero or live long enough to see yourself become a villain.”

Will the burden of bearing this responsibility over time become a security risk in and of itself?

Something to ponder about…

SpikeWatanabe.eth · May 7, 2024, 3:18pm

Here is a very recent example of potential DAO attack, which is happening right now, could be a good case study for us.

TLDR

Approximately a week ago large number of comp was transferred from Bybit to a few wallets as delegations. Today a week old delegate put up a proposal that essentially asks 5% COMP from treasury to be put in some anon vault. This looks very suspicious since the proposer never presented on forums or community calls.

estmcmxci · May 7, 2024, 4:16pm

Thanks, Spike! I’ll add this to my weekly research list. I’ll also inform Agora, who are considering potential solutions for increasing delegated ENS to lower the risk factor highlighted in @AvsA’s very helpful Risk Dashboard.