[Temp Check] Enable CANCEL role on the DAO

Today Nick introduced veto.ensdao.eth, based on governance attacks researched by me and @alextnetto.eth . This introduces a delegate who has been delegated 3.8M of voting power, which are tokens that belong to ENSLabs and Individuals associated with it. These tokens have been delegated to a contract that can only vote NO on proposals.

This has been created due to a governance attack we have recently uncovered: for over a year, since march 14 of last year the DAO’s total delegated market cap (the total value of all tokens eligible to vote) has been below the total value of the assets it holds. This means that if any sufficiently large whale was able to buy about $83M USD (which given that there were over 10M ENS on exchanges, could be done over the counter so as not to move the price significantly) in ENS tokens, it could delegate it to itself and then add a new proposal to appropriate $137M in ETH and USDC that the DAO holds. Because tokens that aren’t delegated aren’t eligible to vote, and because the DAO uses a snapshot system, the minute they made the proposal there would nothing that could be done anymore: even if every single delegated voted against it, the proposal would pass and the attacker would profit $54M in assets (even if the ENS price went to 0 immediately). It seems Pi Day is the DAO achilles heel.

Screenshot 2024-04-12 at 4.05.38 PM1536×728 104 KB

This isn’t a theoretical attack: in fact it’s a well documented attack that has been repeatedly been done on DAOs, including Aragon, Rook, Invictus, Rome, Temple, Fe. There are some well funded groups who call themselves the “vultures of crypto” and “Free Value Raiders”, and justify because they believe “It’s the market’s way of telling that company or project, ‘We don’t think you are being a proper steward of those assets.’”

This is not our case, the market cap of ENS tokens is over USD$400M, much higher than the total assets it controls, but because only a small percentage of these tokens were used for governance, then it was susceptible to such attacks. The Veto function changes that, by delegating another 3.8 M previously undelegated tokens and therefore increasing the Delegated Market Cap. In the future, when the Multidelegate contract is ready we will open a conversation on the proper way to delegate the 10M ENS that are on the DAO wallet itself.

The CANCEL function

With the recent change the Delegated Market Cap is now above the total assets. This however is not a 100% guarantee. ENS and ETH are volatile assets (not necessarily correlated), and not all of delegates vote on all elections so the actual votes required have a practical majority is lower than that.

However when a vote passes, it’s not immediately executed but rather it’s time locked for 48h and it can be cancelled during that time. However currently the only entity that can call the cancel function is the DAO itself, but that would also require a DAO vote and a time lock, meaning it’s of no practical usage.

We therefore propose an executable proposal that would grant the role of Canceller to a multisig, controlled by the same people that currently hold the Veto power. This would be a multisig of at least 2 accounts. We take this very seriously and understand that once this multisig has such power it’s hard to reverse it since they can veto any attempt to remove it. In order to have a balance of power the members would sign a pledge to only use the cancel power in an event of an attack or to protect the spirit of the constitution and we are open to discussion on any other measures that can be enacted.

Other preventive measures to protect from the attack

The profitability of such attack is simply calculated by the amount of total assets in the DAO / (amount of delegated tokens * price of ENS tokens). So any attempt to improve the situation would have to change one of the factors:

• Assets: The DAO should consider ways to protect the Endowment from any single transaction that takes over. This isn’t as simple as it appears.
• Delegated tokens: the Metagovernance group has been considering ways to improve the amount of active delegates and will continue to propose new methods of both direct ENS distribution and ENS delegation.
• Token price: while the DAO’s responsibility is to the ENS system and not the token, it would be healthy if there were ways in which the value of ENS was more tied to the amount of values in it’s management and the present and future revenue of the name system.

I thank @alextnetto.eth for the research, @nick.eth for the prompt reply making the veto.ensdao.eth a reality and for all the metagov stewards.

Has there ever been any discussion regarding introducing and testing a new governance token, one in which has a built in expiry and or becomes soul bound to certain key wallets.

Essentially I have never understood how or why “responsibility” or “governance” can be bought and traded, especially within a public good organisation. It’s almost an oxymoron.

This sounds like a very positive option.

On another note, will there be more frequent or active campaigns to onboard new Delegates and or wide spread education upon DAO matters? It seems to me that the majority of people who really understand the fundamentals of ENS and the constitution rarely use 𝕏 as a method of community learning.

Thanks for the elaborate explaination and the suggestion @AvsA. In addition to signing a pledge, here are some suggestions which will help with balancing power:

a. The multi-sig members could be asked to stake ENS in a separate escrow contract which can be called using a DAO vote to slash & send staked tokens back to the treasury in the event misuse.

b. Introduce term limits & implement a rotation system where multi-sig members are periodically replaced to prevent centralization of power.

c. Draft legal agreements or contracts outlining the obligations and liabilities of multi-sig members. These agreements can specify the scope of their authority, mechanisms for dispute resolution, & consequences for abuse of power

While I do not have enough experience or understanding to speak authoritatively on this matter, I am regularly concerned about centralization. I believe that maintaining decentralization standards, like the recent transfer of the ENS root key to the DAO, is crucial for creating a robust and resilient governance environment.

I deeply respect the research and effort that went into developing the solution outlined in this temp-check regarding the Enable Cancel role on the DAO, albeit transitory and relatively centralized. That is why I believe it is worthwhile to begin considering decentralized solutions in the interim and encouraging open research on them as well.

Hey @AvsA, great job identifying this issue, and the mitigation you’ve put in place makes sense as a stop gap.

One thing I’ll add: because the ENS Governor has a 1-block proposal delay, this attack is even easier to carry out, because the attacker could acquire the tokens, submit the proposal, cast their vote one block later, and immediately sell the tokens. They would face no economic skin in the game from a drop in ENS price that would occur once the malicious proposal became known. I have previously spoken about this risk in particular at MetaGov Working Group meetings (minutes).

As you identified, the longer term solutions are to get more people to delegate and better align the value of the token to the value of the treasury. One way to do both of these at the same time is to offer rewards from the DAO’s revenue/treasury to those who delegate through a staking system. Uniswap is in the process of rolling out something that does exactly this, called UniStaker (docs).

Disclosure: my company, ScopeLift, built the UniStaker contracts and is working with the Uniswap Foundation to see it deployed. Obviously we are biased, so you should take our opinions with a grain of salt. But I do feel like it’s a clean way to address both issues.

You’ll forgive me for the shameless self promotion here, but we’d be happy to discuss adapting the UniStaker system for the ENS DAO. I actually don’t think it would be too hard to do.

Regarding the cancellation approach: cancellation of proposals is not currently possible, because the ENS Governor does not expose a public cancel method, and (as previously mentioned), the proposal delay is only 1 block anyway, meaning there is no practical window in which cancellation could occur. For these reasons, in addition to considering a staking delegation system, the DAO should seriously consider a Governor upgrade sooner rather than later.

Again, you’ll forgive me the shameless plug here, but these kinds of sensitive Governor upgrades are one of ScopeLift’s areas of expertise, and we’d be happy to help in this regard.

(Also, for my two cents, I’m somewhat skeptical of giving unilateral veto power to a multisig, even with legal agreements in place. Given the liability risks involved, I wonder if you might struggle to find credible parties to be on that multisig. But I can see both sides of the argument as to why this could be helpful.)

My concern with solutions like this is that there’s no way to incentivize effective governance participation. Incentivizing delegation will increase delegation rates, but not ensure those votes are actually used. And if you enforce that the rewards are only paid out if your delegate votes, people will develop bot solutions that always vote the same way on all proposals automatically.

Doesn’t cancellation occur on the timelock, between the vote succeeding and being executed? The DAO could elect a veto contract as a valid caller to that function.

Thank you @alextnetto.eth and @AvsA for coming up with this proposal, happy that it passed unanimously. Also thanks to @nick.eth for implementing the shorter-term veto.ensdao.eth solution.

As the snapshot points out, this is just a mid-term solution since it has a risk of perpetuating centralized power and reducing protocol legitimacy. The built-in expiration date of two years means we’ll need a longer-term solution by then.

I’m not a delegate, but adding my voice here to exercise some airdropped responsibility since this is a core issue for the long-term survival and success of ENS.

As @AvsA lays out, the treasury is vulnerable to attack when the total delegated market cap is below the total treasury value. Since the total delegated market cap is a product of both the ENS token price and number of tokens delegated, either input can cause the delegated market cap to drop below treasury value making an attack feasible. So as @bendi points out, any long-term solution needs to address both the ENS token price and number of delegated tokens.

To keep delegated numbers high, it seems like we’ll need to financially incentivize delegators in some form, even if we don’t get perfectly effective governance participation as Nick points out. I’m not sure how we can avoid incentivization since delegators will always have a competing financial yield that they can earn, due to composability.

For example, here’s the number of ENS tokens used as collateral in Aave v3. The spike after December coincides with the bull market. The ENS tokens deposited are presumably used as collateral to buy other tokens on leverage, competing with delegation.

Dune3970×1752 230 KB

Taking these points into account, the Unistaker approach seems like a promising one with good tradeoffs. One modification I’d suggest is to implement vote-escrowed tokens or veENS (as implemented by Curve & Yearn). With veENS, delegators can choose to lock up their tokens for a length of time to get proportionally greater voting power and a larger share of the incentives. This aligns long-term governance and does more to guard against treasury attacks.

Having said this, I’m curious to know if there are any alternative ways to incentivize delegators or achieve locked voting.

Tally has been closely monitoring this potential governance vulnerability at ENS along with similar vulnerabilities across the DAO ecosystem. We are excited about UniStaker as a primitive, but note that it’s important to consider token liquidity in any potential governance staking design. UniStaker itself does not solve the problem @dinesh.eth highlights of tokens used in DeFi competing with participation in governance. We also share @nick.eth’s concern that, while UniStaker incentivises delegation, it does not incentivise effective governance participation.

We advocate for implementing a UniStaker-like solution that incorporates staked token liquidity and a mechanism to incentivise effective governance by only paying out rewards to stakers who delegate to an effective (votes onchain AND adds value to the governance process) delegate. We’ve been thinking about this at Tally and would love to contribute to such a solution.

Good idea. It is important to encourage effective governance by distributing voting power to delegates who are ENS-aligned and active participants in the DAO. Otherwise, the DAO risks succumbing to botting and other Sybil-like attacks.

I recommend viewing participants’ historical voting activity and prioritizing delegations to those who have demonstrated meaningful participation. How we define ‘meaningful,’ however, is an open-ended question, and I further encourage active discussion on this.

Friendly correction: The ENS Governor has 1 block delay, but for being able to vote in a proposal you need actually 2 blocks after the proposal is submitted. Since ERC20Votes.getPastVotes() will revert with ERC20Votes: block not yet mined because snapshot < block.timestamp.

Anyway, it’s not a big change in the overall situation. Even in the less capital-efficient scenario, that is, buying the tokens, the attack is still profitable, depending on the market conditions. The most capital-efficient option would be incentivizing delegation + borrow some ENS. Also as specified in the proposal, the cancel function is also not useful.

I share the same concerns as Nick. It might be the case for a cobra effect (when incentives designed to solve a problem end up rewarding people for making it worse), that could end up making the DAO less secure and more susceptible to economic vulnerabilities, which is the main concern here.

Rewarding quality engagement is an interesting and complex problem. Then, a lot of questions come up: What is quality engagement? How can we reward and select those in a fair and credibly neutral way, taking into account the charisma bias or halo effect?

That proposal gives us time to come up with solutions and test them.

The Timelock contract has a cancellation function, and any entity with the Proposer role can cancel an item that is queued in the Timelock. However, the proper way to achieve this is to call the cancel function through the Governor contract, such that the Governor’s internal state will also be updated.

Cancelling the proposal in the Timelock (but not through the Governor) is something of an “undefined behavior.” Different flavors of the Governor will react differently in this situation. I believe, after a quick code dive, that the ENS Governor will do what many do in this situation, namely: if cancelled directly in the Timelock, the proposal status in the Governor will revert to “Succeeded”, allowing it to be queued in the Timelock again (with the clock reset).

Since anyone can requeue it, we have to assume the creator of the malicious proposal would do so. This means, the security council can’t juts cancel a malicious proposal. They have to cancel it over and over again.

Here’s the relevant code snippets to look at to verify this:

• https://www.contractreader.io/contract/mainnet/0x323A76393544d5ecca80cd6ef2A560C6a395b7E3#governortimelockcontrol-9-29-56
• ENSGovernor — 0x323A76393544d5ecca80cd6ef2A560C6a395b7E3

Hey Ben, thanks for taking some time to analyze the contracts and giving feedback.

I didn’t imagine this requeueing scenario, so I wasn’t sure if it was possible. I added a test case to make it easier to simulate and collaborate, feel free to run the repo and test.

What you mentioned is correct if we solely analyze the Governor.sol contract used in the ENSGovernor.sol

However, there appears to be some confusion regarding the behavior of the state function and the inheritance in the GovernorTimelockControl contract. Here’s a clarification:

1. Inheritance Structure:

• ENSGovernor contract inherits the GovernorTimelockControl contract that inherits the Governor contract, meaning it extends the functionality of Governor and can override its functions.

2. GovernorTimelockControl.state() Function:

• When state(proposalId) is called on GovernorTimelockControl, it first invokes the Governor.state() function, which will return succeeded.

• After obtaining the initial state from Governor.state(), GovernorTimelockControl performs additional checks (see Line 49 of GovernorTimelockControl.sol).

• If the proposal wasn’t queued before, it returns succeeded, otherwise it performs the checks below.

• It checks the proposal status in the Timelock using timelock.isOperationDone, which returns false if the operation is not completed.

• Based on these checks, if the proposal is not in an executed state in the Timelock, the function will return the proposal state as queued.

3. Requeueing Constraints:

• If an attempt is made to requeue a proposal that has been directly cancelled in the Timelock, the queue() call will revert with Governor: proposal not successful due to the proposal state being queued.

Conclusion

The feedback may not have fully accounted for the overridden state function in GovernorTimelockControl. The additional checks ensure the proposal’s status in the Timelock is accurately reflected. Therefore, a proposal cannot be requeued once it has been canceled directly in the Timelock.

I hope this clarifies how the state and queue function in ENSGovernor operates and addresses the concerns raised.

Again, thank you for bringing this up, the more eyes we have on those contracts and proposals on the DAO, the better. I encourage you to take a deeper look at the contracts so we can find more nuances.

I like the idea of locking tokens for increased voting power (and potentially, for staking rewards); it does indeed align people better with the long term success of ENS, since it prevents them from supporting a destructive action and immediately selling their tokens before it can affect them.

However, I question the usefulness of allowing staked tokens to be liquid; that effectively bypasses the lockup, and in the end state you could reasonably expect all tokens to be locked for the longest period, since the locked/staked tokens are just as liquid, and more valuable.

I’m also in the camp that it doesn’t make sense for staked tokens to be liquid.

If we go the vote-escrowed token route, veENS shouldn’t be made transferable. In both the Curve and Yearn implementations, their ve tokens are not transferable.

Hello folks! Great points @nick.eth and @dinesh.eth, I’d like to respond:

The VE (Vote Escrow) model, while successful in the context of Curve Finance, has several drawbacks that make it less suitable for the ENS ecosystem:

1. Opportunity Costs: The VE model forces token holders to choose between the potential rewards of the VE system and the yields offered by external protocols like restaking, (which I fully expect to become a blackhole for governance tokens). This tradeoff introduces an unnecessary opportunity cost and could discourage participation in ENS governance.

2. Concentration of Power: The VE model can lead to the concentration of voting power among a few dominant players, as seen in the “Curve Wars.” This can result in a less decentralized governance structure and potentially enable a small group of actors to exert disproportionate influence over the direction of the DAO.

3. Vote Markets and Complexity: The competitive dynamics of the VE model can give rise to vote markets and complex strategic maneuvers, as participants vie for control over reward distribution. This complexity can create barriers to entry and may not align with the ENS DAO’s goals of fostering an inclusive and community-driven governance model.

4. Lack of Flexibility: The VE model locks tokens for a fixed period, which can limit token holders’ flexibility to react to changing market conditions or participate in other opportunities. This rigidity may not be optimal for the dynamic and rapidly evolving DeFi landscape, especially when considering token holders must now evaluate the opportunity cost of re-staking services like Eigenlayer against long-term VE lockups. In the worst case scenario this may lead average token holders to pursue regular short term yield via restaking, while malicious actors pursue leveraged voting power via VE lockups. Effectively segregating your token holders by speculative intent: (make money by restaking or rugging)

Additionally, a liquid staked version of veENS is inevitable: the opportunity cost of the VE model is simply too high for token holders. Without an ENS-aligned liquid staked token (LST), the most likely outcome is the creation of 3rd party extractive liquid staked veENS tokens, leading to vote markets that sell voting power for additional yield. This is an extremely negative outcome for ENS, and also the most likely.

In contrast, the liquid staking model offers a more suitable and effective solution for the ENS DAO:

1. Alignment of Incentives: Liquid staking creates a direct link between the performance of the DAO and the rewards earned by participants. This alignment encourages a more engaged and committed governance community, as token holders have a vested interest in selecting delegates who will drive positive outcomes for the ecosystem because their yield depends on it. Token holders will hold their delegates accountable for non-extractive, aligned yield. Because ENS earns revenue, effective long-term management is economically more valuable than short-term extraction.

2. Decentralization and Inclusivity: By providing a liquid representation of staked tokens, the liquid staking model promotes broader participation and decentralization. This makes it more difficult for any single entity to accumulate excessive voting power and exert undue influence over the DAO. A malicious entity is now in competition with aligned token holders, as the former is incentivized to pursue capture, while the latter are incentivized to pursue an ever larger share of ever growing protocol yield.

3. Flexibility and Adaptability: Liquid staking allows token holders to benefit from both governance rewards and external yield opportunities, providing greater flexibility compared to the VE model. Moreover, the ENS DAO can adjust incentives, parameters, and rewards based on the evolving needs of the ecosystem, ensuring that the governance model remains responsive and resilient.

4. Targeted Incentivization: The ENS DAO can leverage liquid staking as a tool to incentivize desired behaviors and contributions from its community. By allocating rewards to active participants, high-quality proposals, and ecosystem development, the DAO can align the community’s efforts with its strategic objectives and foster a more collaborative governance environment.

In summary, while the VE model has its merits in specific contexts, it falls short in addressing the unique needs and goals of the ENS DAO. Liquid staking, on the other hand, offers a tailored solution that aligns incentives, promotes decentralization, and provides the flexibility needed to adapt to the ever-changing DeFi landscape. By avoiding the pitfalls of the VE model and empowering the ENS DAO to shape its own governance dynamics, liquid staking presents a more promising path forward for the ENS ecosystem.

As a note, while Unistaker as mentioned by @bendi is a great starting point for underlying staking, we believe there are better versions that could be built. As alluded to above, there will be LST versions of VE tokens, so also possible to build the liquid staked version of ENS on top of a veStyle system, so it’s also not a binary choice. We could do both if the Unistaker model really doesn’t appeal. (Although I think it’s better than veStyle for ENS)

I don’t follow your reasoning here. If malicious actors have to lock up their tokens for a long period, this is working as intended, as it requires them to hold the tokens even after the effects of their actions have become apparent.

You’re right that we can’t easily prevent people creating liquid wrappers for nonliquid staked tokens.

What I don’t understand here is how liquid staked tokens are meaningfully different from unstaked tokens. You could just as easily distribute tokens to all ENS tokenholders, and in the extreme case where all tokens are staked - which is the economic equilibrium - it would seem to have the same effect. It’s also, of course, a no-op in the sense that everyone ends up with the same proportion of voting power at the end of the exercise as they had at the beginning.

If you want to implement a system where rewards are based on delegating to an active delegate, that can also be done equivalently with or without staking. Liquid staking really just seems to add a wrapper to a token, with no clear added value I can see.

Note that the ENS constitution forbids distributing protocol revenue to ENS token holders.

I think thats probably more true in a DAO where the treasury is denominated in the native DAO currency and an attack would drive the token to zero.

In ENS’s case, the DAO is denominated in ETH which retains it’s value irrespective of the performance of ENS. So malicious actors are instead incentivized to acquire the treasury ETH, the loss of value on their ENS would simply be part of the attack-cost. Ironically, if the attack was successfull, AND the malicious entity valued the ENS tokens, an attack would drive the speculative premium of ENS down, and the entity would now posses the Treasuries ETH with which to buy the ENS back at a discount.

What I don’t understand here is how liquid staked tokens are meaningfully different from unstaked tokens.

Unstaked tokens carry direct governance rights. Meaning that when users attempt to find some sort of yield on their token, (such a depositing on a centralized exchange, or locking) they necessarily remove voting power from access from the DAO. Thus the voting power gets pooled in DeFi Protocol or Centralized exchanges. I think this is going to become a huge issue when the restaking protocols come online for ERC20s, and now ENS users have to choose.

Here is an example I drew up for Uniswap:

Uniswap danger1920×1160 135 KB

Basically token holders are faced with the choice:

“Hold the token, vote, and get nothing”
or
“Deposit into Eigenlayer and earn yield”

You can imagine that maybe the majority of tokens holders will make the “earn yield” selection. Indeed the larger the ENS token holder, the larger the opportunity cost for them, meaning the DAO is forcing them between making money and participating in a DAO for free (or worse, participating in the DAO with extraction as the goal).

The idea of doing a Liquid Staked version is to remove the opportunity cost where speculative token holders have to deprive the DAO of security in exchange for earning money on their tokens. Since the liquid staked version pools the underlying ENS token in the contract, we can repurpose the voting power of speculative holders in a positive way for the DAO (the DAO can figure out what “active” means in this case, but we have a few ideas)

Speculative Holders3327×2402 472 KB

Liquid staking effectively splits the economic value of the token from the governance value of the token. Eliminating the opportunity cost that token holders face. The LST token only has governance power via proxy, the native DAO Token IS the governance power.

BTW: some nice ENS charts
https://dune.com/Marcov/dao-token-holders

You’re right that we can’t easily prevent people creating liquid wrappers for nonliquid staked tokens.

A big part of the idea we have is that we should build liquid wrappers as a public good, so that they aren’t captured via misaligned wrappers.

Note that the ENS constitution forbids distributing protocol revenue to ENS token holders.

Correct, would it be productive to instead think of this of paying active token holders for the act of governance? Something interesting here is that you can split the revenue generated by staking: part goes to the token holder while part goes to the delegate. If you want 100% you have to both hold the token (the liquid staked token) AND delegate, (and then ideally actively participate- I’ll punt the convo for what counts as active participation for now). Now you’re receiving rewards for doing work, and no token holders receive revenue for not doing work.

The LST layer is above the staking layer, so we can redistribute value to LST token holders by providing software that helps “active work” be accomplished, effectively LST token holders that hold for speculative reasons give their rewards to delegates who do work.

Hey @alextnetto.eth thanks for taking my post seriously and looking into it! I was aware of the inheritance model, what I missed was that this version of GovernorTimelockControl keeps its own internal mapping of timelock ids, rather than relying on the Timelock’s storage itself, which is cleared when the proposal is cancelled in the timelock.

Practically what this means is that a proposal cancelled in the Timelock will be stuck in the “Queued” state forever. While obviously not ideal, this is certainly better than being re-queuable, and probably acceptable if the intention of the veto is only for emergency situations. I do think it points to the fact that this “solution” is very much a hack, both from the technical and social side, and ideally we will find a more sustainable way forward. But I’m relieved this works for now.

We should move the staking discussion elsewhere.

If we reward delegation then the choice would be: “I hold my token, delegate it and earn rewards” vs “I deposit it in Defi and get rewards”. I agree with Nick that I fail to see why the concept of “staking” adds any value. We don’t need to stake in order to reward people.

2 posts were merged into an existing topic: Liquid staking for $ENS