Secretary and Working Group Multi-sigs

Introduction

Working group multisigs require 4 signers: 3 stewards and the secretary (per rules 3.5.6 and 9.8.4). When the secretary is also a steward, they become 2 signers on the multisig, as currently seen on main.eco.wg.ens.eth.

Problem Statement

Having an individual as 2 signers on WG multisigs amplifies two risks:

  1. Collusion Risk: Reduces required colluding parties from 3 to 2 stewards
  2. Lock Risk: If secretary loses keys/dies, funds could become inaccessible

Current Risk Mitigation

We address lock risk by having main.mg.wg.ens.eth serve as a signer on main.eco.wg.ens.eth, allowing fund recovery through main.mg.wg.ens.eth and two other stewards if secretary access is lost. However, this isn’t codified and secretary is still 2 signers.

Proposed Action

Remove secretary.limes.eth as signer on main.eco.wg.ens.eth and have 3-of-4 multisig structure and make an amendment to the DAO WG Rules to codify the procedure in the event the secretary is also a steward.

Proposed Amendment

  1. If the Secretary is a working group steward, the Meta-Governance working group multi-sig fills the Secretary keyholder role for the working group the Secretary belongs to
    1. In the case where the Secretary is a Meta-Governance Steward, another working group multi-sig, where the Secretary isn’t a Steward, fills the Secretary keyholder role

Next Steps

Please share thoughts and opinions on best practices here. If there is no opposition, the Ecosystem WG could make this change on main.eco.wg.ens.eth sooner rather than later. Alternatively, we could wait for an amendment to change it.

I don’t think a standalone proposal is needed to introduce this amendment but perhaps if there is support, the amendment could be included in a batch of other amendments.

10 Likes

I support the proposed action and amendment. This is a practical correction for the stated problem.

4 Likes

This amendment reduces collusion and lock risks, ensuring safer multisig management and clearer rules for secretary roles in governance, hence I’m in favor of this proposal

I support this.

In a similar vein (though maybe beyond the scope of this amendment), I would support an amendment that requires the DAO wallet to be a super-admin of all working group multisigs via a Safe Module. This protects against more than 1 steward losing access to their keys simultaneously.

I recall this was the case with Pod, but am unsure if it’s still active since the developers (Metropolis) seem to have wound down operations over the last year. Either way, it’s not a part of the rules and I think it probably should be.

3 Likes