Sorry for the delay in replying, I got busy preparing and traveling to Thailand for events and Devcon!
The vote has passed with 100% support (excluding me and blockful that abstained). The blockful team appreciates the support and recognition from the DAO for the efforts and outcomes around safeguarding the ENS DAO.
I don’t understand how the governance security review would fall under DAO tooling. It’s like saying that a Smart Contract audit is under the category of dev tooling.
If the blockful team had not been around the ENS ecosystem on such a daily basis, we would not have seen this vulnerability. As Nick mentioned in this thread, being a service provider should not disable their ability to claim a bug bounty.
Also, to completely address any concerns or misunderstanding around the service provider scope in the nomination (Dec 2023), when we mention security review ("At Blockful, we also do security reviews (audits).), this is about smart contract security review, which is quite useful in the context of verifying call data for executable proposal. The governance security audit is something that was created out of this research that started around March, and it’s probably the first of its kind. Even its term/concept was conceived during these last months.
I really appreciate having these open dialogues to address the community’s concerns. And again, thanks for the support and recognition.
Yup, and that is why I believe it’s worth considering adding ‘Security Review’ as a dedicated line item in future Meta-Gov budgets.
This approach would allow for direct funding from a Working Group multi-sig, streamlining the process and avoiding the need for DAO-wide votes for each review task, especially as the ecosystem grows.
This would help manage security expenses more efficiently as the need arises.
—
100%, but while there may be reasons to believe the work does not fit the original scope, those reasons do not completely rule out the possibility that it still could.
I’m not trying to neg Blockful, as their work has been invaluable in securing the ENS DAO. I’m simply pointing out that, both procedurally and optically, the overlap between Blockful as a service provider and as a security reviewer could be confusing and may warrant additional structure to define these roles more distinctly.
—
Thank you for all your hard work. It’s so important for the DAO to have champions like Blockful contributing to securing its future and creating a more robust and resilient ecosystem overall!
