Marching Towards Ungovernance
Cutting the multisig umbilical cord and putting control of core modules in the hands of governance
One of the core values guiding RAI so far has been “ungovernance”, which we define as progressively revoking privileged permissions over the protocol. To maximize protocol reliability and minimize the influence of unpredictable humans, we aim to remove our ability to change any protocol parameters that we can safely freeze, and make tampering with the remaining protocol parameters as difficult as we can.
Cutting the cord
Over the past few months, we’ve frozen most of the protocol parameters permanently. To see the parameters we have frozen and which we are keeping governed, please see the posts Overview of Ungovernance Phase 1 and Overview of Ungovernance Phase 2 on the Reflexer forum.
The protocol contracts that are still mostly governed can be grouped into the following categories:
- Contracts that interact with or receive data from the outside world (oracles, ETH OSM, saviors)
- Contracts that manage internal resources that are used to incentivize outside behavior (SF treasury, debt popper rewards, rewards relayers for oracles)
- RAI controller contract/s
- Contracts that are part of the governance module (e.g DS Pause)
Now that RAI is largely ungoverned, the final stage of Ungovernance Phase 2 is revoking the multisig. Once multisig access is revoked, the sole power to update protocol parameters will be in the hands of the newly formed Reflexer DAO, a Compound Bravo deployment hosted through Tally.
From this point forward, only governance can ungovern governance, all parameter updates will have to be made through governance proposals. By kicking our multisig out, we’ve essentially cut the umbilical cord between the original team and the RAI system, putting RAI completely in the hands of the community.
Revoking the multisig
Revoking the multisig was a 5 step process:
- We deployed the Reflexer DAO with the appropriate governance parameters: 3-day voting period, 1-day timelock execution delay, 3K FLX proposal submission threshold, and 20K FLX quorum required to pass.
- The multisig granted the Reflexer DAO access to the RAI protocol (tx link). The multisig was still the “owner” of the RAI system, but now the deployed governance could also submit and execute RAI protocol updates.
- Governance voted to change the timelock, which made it the owner of the RAI system, but with the multisig still having access such that the multisig could also make changes.
- Then, we tested the ability of governance to change parameters via the following proposals: update the gas oracle parameter and send a payment from the DAO treasury.
- The final step is revoking the multisig access, such that all future RAI protocol updates and treasury proposals MUST go through the RAI governance process.
What this means for RAI
From now on:
- All protocol parameter updates must happen via governance
- Governance must approve DAO payrolls and incentives
- Governance has total and exclusive control (no more multisigs)
- Only governance can ungovern the governance
At this point, there’s very little we (the Reflexer team) can do if something unexpected occurs. Our hands are now tied, any changes will require a vote, and be subject to a 4-day timelock before being executed on.
P.S. this isn’t Snapshot, all governance proposals are binding.
“It’s as if we’re watching our child leave home to go to university. We’ve done all we can to prepare for them for this moment, and it’s a bit nervewracking to watch them walk out that door” — Fabio, Security Lead
Moving forward, all RAI community members must exercise constant vigilance and work together to detect and thwart any potential governance attacks against the protocol, as we continue marching towards ungovernance.