Working group multisigs require 4 signers: 3 stewards and the secretary (per rules 3.5.6 and 9.8.4). When the secretary is also a steward, they become 2 signers on the multisig, as currently seen on main.eco.wg.ens.eth.
Having an individual as 2 signers on WG multisigs amplifies two risks:
Collusion Risk: Reduces required colluding parties from 3 to 2 stewards
Lock Risk: If secretary loses keys/dies, funds could become inaccessible
Current Risk Mitigation
We address lock risk by having main.mg.wg.ens.eth serve as a signer on main.eco.wg.ens.eth, allowing fund recovery through main.mg.wg.ens.eth and two other stewards if secretary access is lost. However, this isn’t codified and secretary is still 2 signers.
Proposed Action
Remove secretary.limes.eth as signer on main.eco.wg.ens.eth and have 3-of-4 multisig structure and make an amendment to the DAO WG Rules to codify the procedure in the event the secretary is also a steward.
Proposed Amendment
If the Secretary is a working group steward, the Meta-Governance working group multi-sig fills the Secretary keyholder role for the working group the Secretary belongs to
In the case where the Secretary is a Meta-Governance Steward, another working group multi-sig, where the Secretary isn’t a Steward, fills the Secretary keyholder role
Next Steps
Please share thoughts and opinions on best practices here. If there is no opposition, the Ecosystem WG could make this change on main.eco.wg.ens.eth sooner rather than later. Alternatively, we could wait for an amendment to change it.
I don’t think a standalone proposal is needed to introduce this amendment but perhaps if there is support, the amendment could be included in a batch of other amendments.
This amendment reduces collusion and lock risks, ensuring safer multisig management and clearer rules for secretary roles in governance, hence I’m in favor of this proposal
In a similar vein (though maybe beyond the scope of this amendment), I would support an amendment that requires the DAO wallet to be a super-admin of all working group multisigs via a Safe Module. This protects against more than 1 steward losing access to their keys simultaneously.
I recall this was the case with Pod, but am unsure if it’s still active since the developers (Metropolis) seem to have wound down operations over the last year. Either way, it’s not a part of the rules and I think it probably should be.
This could be super easy for working groups to implement, and would allow the DAO to update the signers of any multisig via an executable proposal if needed for the sake of recovery.
I’m not suggesting working groups do this today — I’d want someone else to confirm this works as expected, and which DAO contract should be the recoverer (wallet.ensdao.eth or governor.ensdao.eth) — but it seems ideal for our setup. If everyone agrees, maybe it should be codified in the working group rules to be extra explicit.
Yeah. Thanks @gregskril
I’ve looked at that, for the same reason.
It would be better than nothing, but not perfect because it doesn’t give “control” to that recovery address.
Metagov has started to look at tools like Hats or other structures like what Podarchy provided us in the beginning.
We’ll likely suggest a specific solution to the DAO before the end of Q1, we just need to fully evaluate the different choices to avoid another situation like why we went through with Podarchy.
