Abstract

To protect the DAO from potential governance attacks, we propose assigning the CANCELLER role to the multisig 0x8c8FcA3812c4272756120E207D3ED496A73Bc528.

Following security measures have been undertaken:

• All signers are using hardware wallets
• Members are geographically dispersed
• There is a stringent procedure in place for reviewing all proposals, which includes performing reviews and simulations before execution.

Multisig Settings

• Multisig threshold is 3/6.

Signers

• 2 persons coming from Archblock ecosystem
• 2 persons connected to Wallfacer
• 2 long-time community members

Background

After the recent Tornado Cash governance attack 2 it seems increasingly important to protect the DAO from a similar scenario. To safeguard TrueFi DAO we propose setting the CANCELLER address in our Governor to 0x8c8FcA3812c4272756120E207D3ED496A73Bc528. The CANCELLER role is already implemented in our Governance as a result of TrueFi using OpenZeppeling’s governance contracts, but it has not previously been set.

What CANCELLER can do:

• In case there is a proposal that is faulty or adversarial - canceller can execute a transaction that would render the proposal ineffective.

What CANCELLER can’t do:

• Canceller can NOT make any decisions or execute any transactions on behalf of the DAO. Its only power is to CANCEL proposals.

There is precedent for something like this at major protocols like Curve that have their Emergency DAO (https://dao.curve.fi/emergencymembers) in the case of malicious behavior.

Risks:

It is worth noting that there are certain scenarios where CANCELLER could actually collude with a black hat hacker to extract value from protocols by delaying “rescue proposals”. As a result, CANCELLER should be treated as a temporary measure until there is more value in the protocol and/or a better solution is found.