[Social] [EP2.2.5] Selection of an ENS endowment fund manager

To contribute to the part on helping to assess the technical difference between both Zodiac Roles Module and Enzyme, I have been asked to share the auditors point of view. Full disclosure: ChainSecurity is also a technical council member on the Enzyme Board to support them in keeping the system secure, but we don’t take part in any business or non-technical decision making.

The core feature which in our current understanding is hard to replicate without the help of custom smart contracts when using the Zodiac Roles Module is that Enzyme allows to limit fund managers powers by factoring in third party data sources like Chainlink oracles. This can be used to prevent fund managers from using e.g. Uniswap to execute bad trades in which they profit (e.g. through using a custom swap path which results in very large slippage).

A simplified view of this is that the Roles Module allows to use a system as-is, while Enzyme wraps a system to further limit the possible interactions in a dynamic way. To some degree, you get all the features a third-party system offers in both cases, but if you want other config options not foreseen by the third-party system, Enzyme can either support this out of the box, or has a lot of experience in developing those wrappers.

Responding here in a personal capacity to the last comment:

Historically, significant power in the hands of very few people is very costly, too. Smart contracts, while not perfect, can reduce this need for trust, and while no system is perfect, I personally hope we can get towards one which is better than the systems we had in place before.

When it comes to AMMs, “low liquidity conditions” can be created at will. As evidenced by the ubiquity of “sandwich attacks”; liquidity manipulation is cheap, common, and easy. Is a fund really non-custodial just because the method you can use to drain its assets is named “swap” instead of “withdraw”?

You’re muddying the waters around the risk of making small allocations to Maple and Goldfinch, yet are asking for unilateral powers “in case of emergency”. Ironic, no?

Want to make sure this point doesn’t get lost in the discussion.

Yes, the Zodiac Roles Modifier has been audited in isolation, but it hasn’t been audited within the specific context of non-custodial fund management. Again, Karpatkey largely derives its flexibility from choosing to implement controls by configuration, instead of custom adapters. These configurations should be audited. I am NOT doubting the safety of Zodiac in isolation. I have high confidence in the Zodiac team, its auditors and large bug bounty. What I am questioning—is whether using the Zodiac Roles Modifier alone provides as strong security guarantees as Karpatkey is suggesting. The safest car in the world can still crash if you’re able to drive it recklessly.

Hi nicmm,

I’m Defi Foodie from Karpatkey, thanks for all your thought provoking comments.

Could you please provide an example of deliberate low liquidity condition creation? I don’t think you’re referring to collusion between whales, are you?

I’d argue market manipulation is not easy (it’d be much more frequent if it were), but I think I see your point: “Greater restrictions reduce the chances of malicious actions from fund managers”.

I agree that trust minimisation is crucial in web3, and even more so when it comes to fund management, but there needs to be some level of trust in the fund managers to ensure there’s a healthy balance between the possibilities they have and the prevention of malicious action on their behalf -which would result in their immediate destitution and permanent loss of credibility-.

Our goal as fund managers is to help ensure that ENS DAO thrives in the long term, using all the knowledge we have acquired, the lessons we’ve learnt over these 2 years and the technology we have at hand. We could argue endlessly about the caveats, pros and cons of any technological solution, but we’d like to focus on the fact that at the end of the day, a combination of adequate financial planning and strategy combined with adequate technology to allow the fund managers to work with limited freedom will be what determines if the endowment fund is successful or not.

In case of emergency (and in any other case), we would never ask for unilateral powers, we’d have clear pre-approved restrictions that would allow us to act fast, as we have done several times with the assets we’ve been entrusted with. The result has been that we could always derisk positions in a timely manner, preserving the assets of the DAOs we work with.

Regarding the allocation choices, we are just trying to explain our own conclusions from having carefully reviewed countless protocols. We have come across Maple and Goldfinch before, and we are surprised they represent more than just a small portion of the proposed investment strategies for Avantgarde (we have 0 allocation to black box protocols). A hypothetical allocation of the USDC bucket that could start at 30% to ramp up to as much as 40% further down the line is, in our view, irresponsibly aggressive and not at all small - especially anything in Goldfinch’s Junior Pool. Our partners, Steakhouse, would concur. Some of their members have contributed significantly to developing MakerDAO’s extensive real-world asset investments, both off-chain and hybrid on-chain vaults such as Centrifuge, and have spent considerable resources diligencing the space.

Maple and Goldfinch are great innovations and may be suitable for some risk profiles but, in our view, are not suitable for the Endaoment’s objectives. Regardless of their advantages, these protocols are ultimately off-chain black boxes that would need serious legal due diligence before any investment. With their risk profile, we do not believe they are even suitable for an endowment in any allocation, let alone as much as 40%. Furthermore, even staying on-chain, we would not suggest any allocations to untested protocols such as Interest Protocol, which currently has $193,246 in TVL, but represents 10% of some of Avantgarde’s hypothetical USDC portfolios.

There may well be merits to this strategy. We are just explaining that in our risk management framework, we would never suggest the endowment pursue allocations to protocols like these, let alone in this size. You are, of course, free to conclude differently.

The preset configuration setup has a minimal attack surface, namely the Roles mod smart contract. That is to say, there’s no extra smart contract auditing needed.
A preset configuration only consists of a set of smart contract function signatures, target addresses, and input parameter thresholds, which are allowlisted through the Zodiac Roles mod via a transaction batch. Each of these allowlisting transactions is easily readable through any 4-byte decoder, clearly showing the configuration, e.g. a ‘deposit’ signature and its associated target address. These preset-applying transactions themselves are created using Zodiac’s tools and in collaboration with the Gnosis Guild team.
The attack surface is thus minimised since the permissions that the configured preset gives are reduced to a minimum and can be easily verified to be devoid of any attack vectors.

In summary, auditing the preset is as simple as you can get.

Intro

Hey all.

So as has been discussed a lot in Twitter in the last days and in the Space yesterday this is a really difficult vote to participate in.

Everyone has put so much time in these proposals and there has been so much back and forth here in the forums, twitter and in spaces.

Vote ranking

I will list my vote preference here with a short explanation for each.

1. Karpatkey

Both Karpatkey and Avantgarde come really close in my opinion and it was difficult to choose one of the two as first choice.

Ultimately what made the difference was speaking with projects that have used them before and getting a feel for how their work looks like.

I believe that ultimately the tech stack of Karpatkey and the way their proposal describes they plan to use it will be of the highest benefit to the ENS DAO and guarantee that the Endaoment’s goal will be reached.

I also liked the fact that the strategies that will be followed with Karpatkey all seem safe and as risk averse as possible.

Finally gotta admit the statistics and the way that reporting seems to work in the Karpatkey proposal impressed me and think it will be really useful to the DAO.

2. Avantgarde

A very very close second. Had the pleasure of speaking to some people in their team, listened in the space and read the proposal.

I am aware of the enzyme protocol and had been following it even from when it was called Melon. It’s a really interesting approach and as a tech stack also quite powerful.

One of the things that put me off a bit from the proposal is that despite all we saw last year with insitutional crypto offerings collapsing, Avantgarde seems to insist on using them via Maple.

I do realize it’s only a very small part of their allocation and in the worst of worst case it won’t spillover but it’s one of the things that personally still puts me off.

Finally though I appreciate cryptio as part of the proposal I would appreciate tools that are opensource.

Again … I need to say though both proposal are stellar. Choosing one or the other was hard.

3. None of the above

I am choosing none of the above higher than Lama because I don’t believe we would need to have an external manager which passes every single financial action as a vote through the DAO.

Now about what would “None of the above” mean in reality for us I think it’s something we woudl want to avoid.

We would have to re-convene and find someone else, probably from inside the DAO and take small allocations here and there as suggested by @brantlymillegan here: https://twitter.com/BrantlyMillegan/status/1594799476480286726

Though inviting at first, I have to admit I liked the idea, … I can see how this would easily devolve into arguments about how to manage the funds and in the end we would need to end up giving the power to an individual or org. Plus it would take a lot of time.

So I view the “None of the above” as the option to go with a “non-professional” manager, maybe from within the DAO. For example I am the manager of rotki’s treasury … and I think I am doing okay with the small amount of funds we have.

But ENS is huge. It’s a big project and I think it deserves professional financial management. Which is why this option is ranked as 3rd.

4. Llama

Though I appreciate the proposal Llama wrote, I really don’t think financial management can be effective if it has to pass via a DAO vote for every decision.

As many of my peers wrote above when you manage funds at this size you really need to make quick adjustments and take financial positions within a very short time-frame (minutes or hour/s). A DAO vote and execution would take weeks.

I don’t think this is effective and as such ranked Llama as my last choice.

Closing notes

I want to thank everyone who participated in these discussions. You have all been amazing and especially Karpatkey and Avantgarde people have been so open and helpful in their discussions with me.

I learned a lot through this process.

Whatever the end result, I wish to see both teams thrive and in the end for us in ENS to have the most risk-averse but effective ENDAOment program.

Referring to the myriad of ways of manipulating liquidity on-chain: flash swaps, flash loans, etc. No whales necessary. Remember that in the case of AMM trades, it’s only necessary to manipulate the price for an instant of time. This is virtually risk free. This happens literally every day on-chain.

The problem you’re missing here is that (absent additional smart contract controls) these two are equivalent, you are asking for unilateral powers and do not even realize it.

This approach is exactly the problem. Again, integrating a protocol only begins at whitelisting its entry points. Without intimate knowledge of how each protocol actually works at the smart contract level, you are asking to get burned.

Thanks Lefteris, just to clarify, Enzyme’s reporting infrastructure is entirely open source and relies on subgraphs which means the data we display on interface is easily queriable, verifiable and auditable. The interface also makes it easily readable in real-time. The cryptio part of our proposal is to handle non-treasury reporting which we were asked to include but does not actually cover the scope of the original RFP.

One of the things that put me off a bit from the proposal is that despite all we saw last year with insitutional crypto offerings collapsing, Avantgarde seems to insist on using them via Maple.

That’s correct. Copy/pasting my response to you in our private discussion for full transparency.

I think our key point is that risk management/capital preservation is more than “off chain” or “on chain” (for example, Luna was on chain)

The important judgement is: who does their research / risk underwriting better? Yes, on chain is more transparent and so easier to underwrite, which is why our big bias is toward onchain. But “On chain: good, off chain: bad” is too simplistic, and therefore actually riskier than the case by case approach we believe in.

great summary

Voting update, with 6 hours to go. lefteris.eth, she256.eth and imtoken.eth have all weighed in.

sankeymatic_20221122_070025_600x600600×600 45 KB

Hi Lefteris -

Thanks for your thoughtful response, I really appreciate the time you put in to this decision.

I just wanted to make sure that you’d seen @nicmm’s posts in this thread on the difference in trust models between Enzyme and Zodiac. Our CTO put it aptly, Enzyme ensures outcomes, Zodiac only inputs.

Nic wrote a couple of posts but this one went up after you posted your rationale, so thought I’d link.

Delegate’s View - Coinbase.eth

After reviewing the finalists’ proposals, we believe that none of the above would be the best immediate route forward. As such, we’re voting:

1. None of the above
2. Llama
3. Avantgarde
4. Karpatkey

Reasoning

As Nick reminds us in the replies above, the DAO’s goal with this RFP is to establish long-term funding for protocol development and to insulate the DAO from economic fluctuations (with ETH exposure being the main source of any fluctuations).

We don’t think any of the proposals adequately solve for this specific mission. In fact, as discussed by other delegates on this forum, active management of funds might not be the most immediate step that the DAO can take to insulate its long-term runway against ETH price movements.

To avoid going too far out on the risk curve, long-term funding of $4M per year likely requires a more sizable endowment than what the DAO is currently starting with. In the meantime, a 5% yield on the current treasury likely only nets the DAO an additional $1-2M annually (at best). This risk / reward doesn’t seem reasonable, and we’d prefer to wait for the treasury management space to mature further.

It’s nice to start working on an endowment process now, but any rushed decision that risks funds with limited upside seems unnecessary.

After Coinbase’s and Rainbow’s vote, NOTA is now in the lead.

sankeymatic_20221122_111826_600x600600×600 43 KB

The point of the management of funds was to also start on the derisking process. The ENDaoment process has been something that the DAO has been working on for many months, all the while seeing its very heavy exposure to ETH hurting its treasury net value as we get deeper and deeper into the bear.

This is why we are finally ready to now act and do something about it.

Voting for “None of the above” takes us back to step one and we have no idea when or how we can even start derisking while at the same time the market conditions put the very existence of the DAO at risk.

This risk / reward doesn’t seem reasonable, and we’d prefer to wait for the treasury management space to mature further.

I have to admit I am pretty amazed to see that coming from Coinbase, an org that also deals with many institutional customers. So is it your professional opinion that doing nothing and just holding the overwhelming majority of the DAO’s treasury in ETH poses less risks than actually taking action to do something about it?

Coinbase aside, I would also like to hear the reasoning of the vote from @rainbow since they also helped swing the vote towards None of the above.

Is this true? Is the existence of the DAO at risk if we wait?

Not with the current ETH price I gess? @nick.eth should chime in. I think it was mentioned in the space yesterday. But who knows where ETH will be in a week? In a month? The DAO should not gamble trying to guess bottoms. Choosing “None of the above” takes us back to the drawing board.

And if anything this entire process should underline how hard and time consuming a process reaching a decision as a DAO is.

If we do end up voting for “None of the above” we should act fast on a derisking strategy. Essentially a vote for a strategy on how and for how much ETH we should derisk (sell for stables).

And separate the treasury management from it as a completely different proposal.

It depends on just how low the ETH price goes and what happens to ENS income. As long as income exceeds expenses (it does handily right now), we can sustain ourselves without drawing down on the treasury. But if that changes - and it’s reasonable to think that ENS registration fees are correlated with crypto market performance - then we’d be faced with insufficient income and a treasury that has shrunk dramatically.

Here’s my mental model on the DAO with/without an endowment:

     W/O Endowment
┌──────┬───────┬───────┐
│      │ E > I │ I > E │
├──────┼───────┼───────┤
│ ETH↓ │  BAD  │  OK   │
├──────┼───────┼───────┤
│ ETH↑ │  OK   │  GOOD │
└──────┴───────┴───────┘


     With Endowment
┌──────┬───────┬───────┐
│      │ E > I │ I > E │
├──────┼───────┼───────┤
│ ETH↓ │  OK   │  OK   │
├──────┼───────┼───────┤
│ ETH↑ │  OK   │  OK   │
└──────┴───────┴───────

The DAO is not in the business of trading or trying to time things. We should absolutely be willing to trade off some upside - that would exceed our needs in any case - for a guarantee that we won’t face an existential crisis if the market goes as badly as it potentially could.

I am working on a draft EP to propose changing ENS’s accounting of unearned income to be USD-denominated instead of ETH-denominated, while Coltron is working on an EP draft for day-to-day treasury operations that would entail keeping a substantial runway available directly to the DAO (outside any endowment) in stablecoins.

Both are relevant regardless of the outcome of this vote, and will help to ensure the DAO has less immediate risk and exposure to currency fluctuations if passed.

Edit: More last minute voting changes have put Karpatkey back into the lead (for now).

sankeymatic_20221122_123545_600x600600×600 44 KB

Delegate’s View - cory.eth

After much consideration, I have finalized my vote as

1. None of the above
2. Llama
3. Avantgarde
4. Karpatkey

After a historic year, the ENS DAO is well funded for the forseeable future. I also think $4.2M in annual expenses is a lot for a software project.

Despite USD expenses, I do not like the idea of over-diversifying into blacklist-enabled tokens. I am terrified of the tail risk. ENS DAO is front and center and likely to be used as an example in legal matters.

If we do not have enough stables for the bear market, then I would suggest we just execute a UniSwap trade not give 80% of our treasury allocation away (edit: admittedly with limitations as set in the proposal and smart contracts).

That said, I am sympathetic to the desire for a treasury management role. But I think these proposals miss the mark on risk-minimization. If someone wants 80% of my own money, I wouldn’t just give it to them. I’d make them earn it and prove they’re doing well first. I would be open to a proposal with much less money on the line. Holding ETH is fine, ideal even.

Llama was the highest friction option, so I selected it first among the candidates. Avantgarde impressed me a bit more. They seemed higher effort as they reached out to me as well.

I found this decision very difficult and was impressed by all the options and dialogue.

To be clear, none of these proposals involve giving 80% of the treasury to anyone. The funds would still be held by the DAO, with the fund managers able to execute certain limited operations on them such as allowlisted trades.

I understand, was trying to use the term “treasury allocation” to be brief.

Main point follows, I would be more happy with a smaller start.