Request governance delay poll inclued more options than 0 days or 1 day

I believe the current plan for the upcoming governance delay poll is to ask users if they think governance delay should be enabled or not, and if enabled it will be 24 hours. I personally believe that 24 hours is too short of a delay due to the human coordination required to execute global shutdown being high and potentially not something that can reasonably happen within 24 hours.

I would like to see the upcoming poll for governance delay include both 0 days, 1 day, 3 days, and 7 days so people can give their feedback during polling on how long the delay should be.

4 Likes

I’d like to see input from @cyrus because making the delay too long will prevent the timely deployment of other potential mitigations. It might be better to commit to increasing the governance delay gradually on some kind of schedule.

For example, suppose we increase the delay from 0 to 5-10 min, ASAP. Then maybe add 1 hour per week until we get to 1 day. Then reassess.

3 Likes

I definitely agree that arguments for and against longer/shorter delays should be presented here and outlined in the poll text. However, I’m not a fan of using Maker Foundation’s role as governance poll gatekeepers of the polling system as a means of suppressing certain governance options (I’m not trying to imply this is what you are suggesting).

1 Like

For the “why a longer delay is better”, it is because human coordination is hard.

Imagine there was a 24-hour governance delay and an attacker initiated a governance attack. The following things would all need to occur within 24 hours:

  1. Someone notice that an executive vote passed. A bot can do this, but that bot then needs to notify a human but is the human watching the bot awake? are they on a plane? Do they have reliable internet service? Does such a bot exist right now?
  2. A human needs to evaluate the situation to make sure it wasn’t just a spurious ping by the bot. Bots can have bugs and you wouldn’t want to globally shutdown because of a bug in your bot.
  3. That human needs to alert other humans to the situation. Are these other humans readily available? What if it is Christmas day and everyone is spending time with family? What if it is DevCon and entire teams are on 18 hour flights across the planet?
  4. The collected humans need to analyze to make sure this is actually an attack and not a legitimate governance proposal. The Maker Foundation isn’t the only team allowed to submit governance proposals so (IMO) they cannot reasonably just global shutdown anytime someone besides them pushes a proposal through. Even if they did they would need to ensure that it wasn’t coming from within Maker Foundation (again, need to talk to the right set of people).
  5. Once it was decided that an attack was underway, you now need to coordinate the global shutdown. This process in the best case requires a quorum of multisig holders to sign a transaction. Are a quorum of multisig keyholders available and within reach of their private keys? Again, thinking about a timed attack during Christmas or DevCon this may not necessarily be the case.

A 24-hour governance delay certainly increases the risk of this attack from “risk-free for attacker” to “significant risk to attacker”, and 24 hours is way better than 0. However, I think 7 days is a much more appropriate governance delay as it gives plenty of time for human coordination.

1 Like