- At present, Celo Governance Proposals need to be approved by a 3-of-9 multi-sig in order to move the referendum stage (see documentation here).
- This step is intended to prevent whales (large CELO owners) from making a malicious or self-benefiting proposal and pushing it through by reaching quorum and a majority of votes (which assumes that other CELO holders either don’t take enough notice to vote against it).
- This allows the signers of the multi-sig to exert veto power over proposals (specifically, if 7 or more want to block, they can). This problem is exacerbated because the 9 signers are not currently public.
- Making public the 9 signers potentially puts them personally at risk (e.g. to doxing, bribery, etc.).
Comparison with Uniswap
- Uniswap protocol does not have any multi-sig step to prevent malicious proposals. Governance process here.
- Uniswap lays out a number of potential “attacks” and allows them to be dealt with by economic incentives, protocol participants withdrawing funds, and the threat of a hard fork. Worth reading here.
Use of a DAO instead of the multi-sig
It was proposed that some form of DAO could control the multi-sig step. To me this seems like an unproven approach that would add further complication and centralisation to the game theory of making proposals.
- I suggest that a list of risks and scenarios be built out just as Uniswap has done under “Adversarial Scenarios”
- I suggest that a timelock be added after a referendum is approved before the code can be deployed. This at least gives an opportunity for the community to react/withdraw before a malicious approval comes in. It also gives time for a hard fork.
- I suggest that a timeline be set for phasing out the multi-sig.
I am interested in hearing from the community on risks present within Celo (but not Uniswap) that would warrant this multi-sig step.