YAM Update: Guardian Proposal

A proposal has been submitted by YAM Deployer to switch to a new Governor Alpha contract, which makes the following modifications:

• Set YAM Deployer address to Guardian
• Limit the Guardian’s actions to call the cancel() and abdicate() functions

This will allow the YAM Deployer contract (controlled by Brock, lead developer) to cancel proposals deemed malicious by the community. Cancellation can be done at any time during the ~48-hour voting and 12-hour time lock processes, and will be subject to an emergency off-chain vote on Snapshot.

You can view the submitted proposal here.

Rationale

On early Tuesday morning September 22nd, one of the YAM creators discovered a potential economic exploit of the protocol that could potentially enable a malicious actor to take control of the protocol, including the treasury. In the current design, the strong incentives to provide liquidity to Uniswap are at odds with the ability to ensure robust participation in governance. This is because YAM in the Uniswap pool is not currently eligible to vote. In short, it was possible to be in a situation where the economic cost to submit/pass proposals might be less than the amount the attacker stood to gain from taking control of the protocol.

In order to guard against this, the submitted proposal grants the ability to the YAM Deployer to cancel any governance proposal. The intent is for the YAM Deployer to retain this ability for a short period of time, until a fix can be implemented, audited, deployed, approved by the community, and activated. During this time, the YAM Deployer is committed to only exercising the cancellation function if the community approves via off-chain voting on Snapshot.

Potential Solutions

1. In tandem with YAM, enable staked LP balances to participate in governance
2. Increase potential participation in governance by setting all accounts to delegate to themselves by default. This enables them to vote in proposals from the outset.
3. Deploy a new token contract that sets Guardian (with either cancel-only or broader privileges) to a community multisig, to be used to address potential future attacks on the protocol.

These and other potential solutions should be discussed in the governance forum and voted on off-chain via Snapshot. The preferred solution(s) should be coded and audited before being submitted as an on-chain proposal.

Takeaways

Bootstrapping fully on-chain governance via fair launch is hard. We have adapted a governance module from a protocol (Compound) with a different token distribution and incentive structure. Any protocol attempting to establish robust governance should take steps to involve voters as early as possible in the launch process, and in a way that does not conflict with their incentives.