by 0x247e0896706bb09245549e476257a0a1129db418 (LordLike)
PROPOSAL PURPOSE
Due to the importance for the DAO and significant power held by SAB, such as the ability to halt DAO operations initiated by the DAO Committee or the Community, and holding multisig keys for most important DAO smart contracts, this proposal aims to start a public discussion about the Security Advisory Board, including but not limited:
Who are the members of SAB ?
How should SAB members be voted ? (requirements, qualifications etc.)
Should SAB members receive compensation, and if so, how ? (on monthly or performance base)
Should there be additional documentation and guidelines on SAB operations ?
Should there be reports or updates from the SAB to the Community, and if so, when and in what form ?
Should SAB members be interviewed by the Community or specific DAO Core Units once a certain period of time ? (For example, in Town Halls / private form)
WHAT IS SAB ?
The Security Advisory Board acts as a guarantor of Decentraland’s smart contract security, and is tasked with overseeing the work of the DAO Committee and responding to vulnerability and bug reports in any of Decentraland’s contracts.
The SAB includes 5 Solidity experts that have initially been selected by the Decentraland development team. Any time a modification is to be made to the LAND or Estate contracts, the update must be unanimously supported by the SAB’s multi-sig. At least three signatories are required with no dissenting votes in order to make any changes to the LAND or Estate contracts.
The SAB has the ability to pause, resume, or cancel any action taken by the DAO Committee.
Initiating the addition or removal of a member of the SAB can be done by kickstarting a Governance proposal process on governance.decentraland.org.
Please share your ideas and concerns related to this proposal in the DAO Discord or comments (forum post).
AgustĂn Ferreira (Advisor to Decentraland Foundation)
HPrivakos (DAO Committee member)
Nacho Mazzara (Engineering Manager at Decentraland Foundation)
Ariel Barmat (Engineer at The Graph and previously engineer manager at Foundation)
Brett Sun (Aragon One’s CTO)
IMHO, the SAB should pick the new member and validate the decision with the DAO. The requirements might not be the same for all members but generally, you would expect heavy knowledge of smart contracts and EVM. Also, involve critical stakeholders with a lot of context about the project and/or key infrastructure.
At the moment the position is voluntary. All of them want to see the project succeed.
They are not active on a daily basis but they are always on call when an emergency happens. Operative tasks should relay on the DAO Committee, SAB is for emergencies.
I don’t think so, but I’m happy to provide clarity about it. Do you have specific questions?
The last time there was a vulnerability report the SAB gathered, fixed it, and published an update in record time. IMHO reporting and updates should be done by the DAO Committee.
The DAO Committee should be in contact with the SAB. I don’t see the need for recurrent interviews.
Yeah, I also saw them on transparency page but except for Kyllian I don’t see anyone of them in the Community Discord or discussions. I don’t say its bad or good, I am just so curious someday to hear these Folks and their thoughts because they are so important for DCL DAO, just my 5 cents.
I don’t think so, but I’m happy to provide clarity about it. Do you have specific questions?
For example, additional documentation and guidelines on SAB operations:
Recommendations on security researches/analysis (frequency, methodology, best practices etc).
Guidelines on conflict of interests.
Algorithm how to handle situations when there is no consensus among members.
Guidelines when SAB can halt Community’s DAO decisions (operations).
Procedure for Community members to receive SAB opinion on some kind of DAO matters/proposals, for example:
At the moment the position is voluntary. All of them want to see the project succeed.
They are not active on a daily basis but they are always on call when an emergency happens.
Also, how do you think - should this position remain voluntary ?
Shouldn’t SAB or its separate members be active on daily basis due to importance of security issues ?
Thank you @yemel for that information. This sounds like a don’t fix what’s not broken sort of thing, however, there probably should be some sort of contract in place on the off chance that something unforseen should happen. I hope that the SAB will take a look at this and offer some feedback. I’d hate to disrupt what is currently working especially since they are volunteers but I’m sure from a security stand point they would see the importance of such things.
Hi web3nit, I agree with what yemel mentioned. On top of that, my opinion is that since the SAB’s job is to rectify critical vulnerability, presence within the Discord isn’t mandatory although it’d be good.
Hey Thanks for you feedback. To avoid any confusion, let me clarify that my suggestion is not to make it mandatory for them to spend time on Discord, but rather to maintain a minimal presence and interaction with the Community. This could involve someone from their team visiting for an annual town hall or posting on a forum, for example. Currently, we don’t hear much from them, and I wanted to share my opinion on this matter.
Maybe the position should be remunerated. But I believe it being voluntary avoids some conflicts of interests IMHO. The fact that these members are willing to serve without a financial motivation speaks well about it.
I don’t think they should be required to be active on a daily basis. On the contrary, the less burden we place on them the better.
As @Existential14 commented, I think this is a case of “if it ain’t broken, don’t fix it”.
Thanks for you feedback. To avoid any confusion, let me clarify that my suggestion is not to make it mandatory for them to spend time on Discord, but rather to maintain a minimal presence and interaction with the Community. This could involve someone from their team visiting for an annual town hall or posting on a forum, for example. Currently, we don’t hear much from them, and I wanted to share my opinion on this matter.