[DAO:d884fa6] Should we extend the DAO Committee to more than 3 members?

by 0xffac7fd045303112fdb28e9dace8e1334ad324c0 (eordano)

Summary:

Adding a member to the Committee strictly increases the security of the DAO. Particularly, since we have 5 good candidates for the role, add 3 new members to the DAO Committee.

Explanation:

The DAO Committee is a group of 3 semi-trusted individuals who have been selected by the community to hold keys in a multi-signature wallet and other mechanisms to enact decisions on the DAO. This group is responsible for enacting any passed votes with a binding action, like funding a Grant, banning a name, adding or removing a POI, implementing a Governance proposal or adding a Catalyst node. Currently, since Eric resigned, the group is conformed by only 2 individuals.

Particularly, with the current required-consensus setup, the collusion of these two members is enough to drain the DAO’s treasury in case the Security Advisory Board (SAB) fails to react in less than 24 hours (according to this blogpost, there was a 4 hour lead time last time it was needed).

Today, any member of the Committee can cancel a transaction initiated by another member on the On-Chain Aragon DAO. That means, that full collusion of the whole group is required to empty the wallet, if everyone is aware of the votes being submitted, in a security scheme also named “anytrust”, meaning that “one honest participant is enough to prevent collusion”. In other words, adding a member strictly increases security. I trust Yemel and HPrivakos a lot, but this trust is unnecessary. If the SAB fails to act in time, and one of them is on a Vipassana retreat, anyone with access to the private key of the other member (maybe a cyber threat actor) can swipe the ~17M USD from the DAO.

The only caveat I see to adding more members is that any one member can block all the other members from the Committee from enacting transactions, but that is less critical – the DAO can decide to remove this member so operations can continue.

Additionally, the SAB is in charge of enacting these changes on the Committee, which I think is an error. I see the SAB as one half “special forces”, and one half “wise judges” – in any case, they should not be bothered with any day-to-day activities. In my lousy analogy of SAB as “judges/military”, having them adding or removing a Committee member is the equivalent of putting some special forces military team in charge of organizing a normal democratic election, and putting judges in charge of execution of presidential transition ceremonies. It is my opinion that the SAB should only concern itself with providing emergency solutions to bugs and problems with smart contracts.

We currently have 5 candidates for the position of DAO Committee Member: AwedJob, Tobik, Martriay, Szjanko and Champ. I think we could pick 3 from this list, not only 1.

Looking forwards to the future, our DAO should:

• improve the agility and ergonomics of the governance processes
• reduce burden on DAO Committee members
• not involve the SAB in day-to-day activities
• reduce the trust required in particular individuals

• Yes: add 3 new DAO Committee members
• No: add only 1 new DAO Committee Member
• Invalid question/options

Vote on this proposal on the Decentraland DAO

View this proposal on Snapshot

I am voting Yes, to add 3 new DAO Committee members as this initiative will further decentralize this process.

Also, for only an additional $7,200 a month ($2,400 per member per month) this is a very small cost to ensure security of DAO funds.

57600$ a year in 7 years - 403200$ (to the end of dao vesting contract)

Voting yes. By adding new members to the committee we will increase the security factor, reduce dependency on other teams, and have a more solid structure that will be able to better divide their day-to-day tasks.

Exploiting inattention and optimism is a major problem for decentralized organizations, I’d recommend you to watch this talk if you still have doubts about what to vote: https://archive.devcon.org/archive/watch/6/exploiting-inattention-and-optimism-in-daos/?tab=YouTube (Spoiler alert: This is SCARY)

My only concern is with the original binding proposal and this proposed change, I think we should finish this cycle (Adding 1 member) and then add two more members once this change goes through the governance process.

+1

This is just a pre-poll; if I’m not mistaken, we still have at least three more weeks before it becomes a binding proposal.

I vote Yes. This allows for a “well-rounded” committee with members bringing in different perspectives, professional experiences and applicable skills.

I am voting yes. Decentralization is key!

Will there be a new open call for additional candidates to fill the 2 remaining positions after the first is chosen from this group?

The Committee had permissions to do that itself (or anything else) on the DAO/Aragon (with a 24 hours delay), but the SAB removed that permission for security reasons.
That’s also the reason the Committee cannot currently claim the vesting contract. Only the SAB can call the release function.

Apart from Martriay, none of the candidates have enough technical knowledge in my opinion.
If we add three members to the Committee, we might end up with a majority of Committee members with insufficient technical knowledge.
It also increase the difference in timezone as candidates have vastly different timezone (12h difference between certain candidates), making coordinations more complicated.

No, an on-chain Aragon community vote can do so too.

Insufficient technical knowledge for which tasks?

As @gino quoted, my nightmare scenario is https://archive.devcon.org/archive/watch/6/exploiting-inattention-and-optimism-in-daos/?tab=YouTube

• Your private key gets compromised
• Attacker waits until December 31st 18:00 GMT, a day and time with high chances that many “privileged guardian”[1] keyholders would be sleeping and/or offline for hours
• Submit a fake snapshot vote to the DAO, to upgrade the LAND smart contract to steal LANDs, change Marketplace ownership to the attacker, or any other re-configuration of the Aragon Kernel that could lock the SAB and Community out
• This vote/executive action goes unnoticed or cataloged as “business as usual” for ~18 hours by everyone who have email/sms/im alerts programmed.
• Those who do realize it in time, fail to reach out to anyone with privileged guardian permissions, or they are unavailable to use their private keys within 6 hours.
• LAND or Marketplace contract gets lost forever

It’s all very unlikely, as you and I have seen in the past (took less than 4 hours to reach out not just to one, but all the privileged guardians and community members [such as myself, as I don’t hold any privileged access to the DAO] who made themselves available to help even though they were not needed, on a weekend day) but I think we can all sleep better knowing that the margin of error for privileged guardians to react in case of a DAO Committee key compromise is higher than 24 hours.

Additionally, I would love that successfully defending against this kind of attack to not require the help of the SAB.

The DAO Committee is simply too insecure if the number of key holders is this low (I’d increment it further to ~7 or ~10, but let’s start with 5, or even 3 ). The higher the number of “required active watchers” to protect against this kind of attack, the better off we are (as long as they don’t impede normal governance, as is currently the case with the vesting releases).

[1]: “Privileged Guardian” is how I would call any member of the SAB or the DAO Committee, those who can interrupt the 24 hour watch period. It’s my understanding that any member of the SAB can trigger a pause on DAO Committee actions.

Should we extend the DAO Committee to more than 3 members?

This proposal is now in status: FINISHED.

Voting Results:

• Yes: add 3 new dao committee members 93% 1,839,849 VP (168 votes)
• No: add only 1 new dao committee member 6% 127,373 VP (12 votes)
• Invalid question/options 1% 35,024 VP (3 votes)

Should we extend the DAO Committee to more than 3 members?

This proposal has been PASSED by a DAO Committee Member (0xbef99f5f55cf7cdb3a70998c57061b7e1386a9b0)