IIP-46: Security - Operations & Investment Account

IIP: 46
Title: Security - Operations & Investment Account
Status: Proposed
Authors: Matthew Graham (@Matthew_Graham), Dylan Tran (@dylan), Accelerated Capital (@AcceleratedCapital) )PrairieFi (@prairiefi) Elliot (@ElliottWatts) DarkForestCapital (@DarkForestCapital) verto0912 (@verto0912) Mr Madila (@MrMadila) George (@george)
Created: 2021-05-21

Summary

We propose creating two separate multisig wallet addresses: one for each of the Operations and Investment accounts. We discuss the responsibilities of each multisig from an account security perspective.

Abstract

As outlined in the Treasury Diversification Proposal, the Treasury Working Group intends to split the current treasury into two accounts: an Operations Account and an Investment Account. In order to accomplish this, it is necessary to create two separate Gnosis multisig wallet addresses.

Initially, each account will have its own multisig wallet that will require 3 of 4 owners to approve a transaction. The four Index Coop representatives are: primary focal point for each account, TWG lead and 2 members of the Treasury Committee. The initial requirement for a minimum of 3 addresses approving a transaction from an eligible 4 addresses can be amended in the future as required.

Motivation

Currently, all transactions from the Treasury Committee Wallet are controlled via a 3 person multisig with a 1 of 3 approval requirement and the main Treasury Wallet is controlled by a 3 person multisig with a 2 of 3 approval requirement. Although the Treasury Committee has proven viable, due to the rapid growth Index Coop has experienced and the frequency of transactions increasing, we now need to cascade responsibility amongst the broader community.

With regards to overseeing Index Coop’s finances, some responsibilities are being transitioned from the Treasury Committee to the Treasury Working Group (TWG). The first step in this transition is for the TWG to set up the security structure around Operation and Investment accounts. The Operations and Investment Accounts are to be funded from the Treasury Wallet as we transition to a more DAO-lead approach.

Multisig wallet addresses enable DAOs to delegate transaction approval authority to selected contributors - known as owners. The DAO places the trust in owners to transfer funds efficiently and securely knowing multiple owners need to approve each transaction, see infographic below.

One core feature of a multi-signature wallet is to be operated by multiple accounts known as owners. OwnerManager.sol allows you to add, remove, and replace owners. Furthermore, a threshold number of owners required to confirm a transaction for it to be executed can be specified and modified. This is a great feature as it allows the DAO to modify the control features as the DAO evolves over time. There is also the ability to set daily transfer limits on ERC20 tokens and approve whitelisted addresses that do not require confirmations. Initially we are opting for the basic version and will revisit the functionality of the wallet in time when the need to do so emerges. Multi-sig signers are expected to use hardware devices linked to their web3 wallet when performing these transactions, thus maximising the security against a potential attack.

There have been 6 audits on Gnosis Safe with the most recent being 4th May 2020. All findings have been implemented and currently, there is $7.5M bug bounty funds that offers $100K per bug. Gnosis Safe is trusted by many big name DeFi protocols like Aave, Yearn and Balancer.

The initial names listed on the multisig accounts are as shown below:

Roles Operations Account Investment Account
Treasury Committee @DarkForestCapital, @dylan @DarkForestCapital, @dylan
Treasury Work Group Lead @Matthew_Graham (:fire:Fire :fire:) @Matthew_Graham (:fire:Fire :fire:)
Account Manager @prairiefi @AcceleratedCapital

Voting

FOR:

Create Operations & Investment Account wallet addresses according to the IIP-46 proposal.

AGAINST:

DO NOT create Operations & Investment Account wallet addresses according to the IIP-46 proposal.

Copyright

Copyright and related rights waived via CC0.

10 Likes

@Matthew_Graham I think you are missing a poll in the voting section.

I am all FOR splitting the Treasury Wallet into an Operations Account and an Investment Account.

One concern I have, with the existing Treasury Wallet set-up, and the suggested Investment Account set-up, is that there is not enough redundancy with a 2-of-3 multsig.

The Ethereum Foundation uses a 4-of-7 multisig wallet to secure its funds (~$1B in value). It’s not difficult to imagine the Index Coop Investment account being over 1B in value in the future. Why should the Coop have less redundancy than the Ethereum Foundation?

5 Likes

I think it is good practice to allow time for some discussion before opening the poll. Then all the voters can have a chance or review the initial discussion before voting.

[it can also allow modifications to the proposal in light of the discussion before the voting opens]

3 Likes

The Treasury Wallet is a legacy structure in place from last year. As we grow, we have the ability to build out more security. We did increase the level of security on the Operations & Investment Account relative to the Treasury Wallet.

In time as these accounts receive more capital - I do think we will need to modify the structure from 3 of 4 to something more robust. The 4 of 7 is a good idea. It is good to keep in mind, these accounts are only going to be partially funded initially.

2 Likes

diving rrrrright on into question/notes :swimming_man:

Question one is the biggie and then the rest dig into the the role of the TWG.

Questions

Supposing this proposal as-is gets voted in, what is the impact for the Coop? Is it simply, “two, empty multi-sig addresses will exist”?

  • If this is simply the case 1) my below-questions may be moot for this proposal 2) it seems like we can expect a subsequent proposal that covers funding amounts & responsibilities & the sunsetting of the Treasury Wallet

Given that many of the payments below (via (TWG - Operations Account) aren’t actually happening today (smart treasury, distribution of rewards as stablecoins, KPI rewards, etc.)

  • Is approving this IIP approving those unexecuted programs?
  • What specifically is the Operations account responsible for funding?
  • Is the TWG Operations account a decision making body that decides what gets funded? Or is it a guidance body that shares the impact of potential spending? (or some other option I’m missing)

Which responsibilities are being transitioned from* the Treasury Committee to the TWG?

I’m a bit hazy on the motivation

  • What is the motivation behind this? In the explanation above I see mentions of the Treasury Committee, the Treasury Wallet, overseeing Coop finances, a deep dive on Gnosis multi sigs and more

Confirming understanding

Under this proposal, the TWG Operations account will control the following payments

  • Methodologist Rewards
  • Smart Treasury
  • Liquidity Mining Framework
  • Full Time Employee Package
  • Distribution of Community Rewards in Stable Coins, wETH & INDEX
  • Contributor Token Ownership Plan
  • KPI Rewards Program
  • Governance Mining
  • Working Groups

Source: TWG - Operations Account

Hi @anon10525910,

Great questions.

In a nut shell, let’s create 2 accounts with no funds now, let’s talk just security and everything else will be dealt with via separate forum posts. :slight_smile:

The focus of this post is to communicate setting up the account structure and emphasising how the accounts will function from a security perspective. We limited the scope of the post to focus conversation around the security aspect. There will be many more posts around the Operations and Investment accounts as we work through those details of transitioning Index Coop into a sustainable DAO model.

Our initial push to setup these accounts is to facilitate creating the Balancer Private Pool (was Smart Treasury). We wish to do this as soon as the strategic raise is completed. There will be a separate IIP requesting funding from the Treasury Committee to the Operations Account for setup the Balancer Pool. I would expect this IIP post tentatively next week.

Each major decision affecting the accounts, like the Balancer Pool, will go via a separate IIP. The IIP process will be the way each account is funded and any delegation of responsibility from Treasury Committee to TWG captured (we really do need to change that Treasury Committee name :rofl:). We see this as a transition over time as we collectively scale our community.

6 Likes

:pray: appreciate all the clarification!

1 Like

Further to today’s planning call, I would like to highlight the above multi-sig can be amended to reflect how the account will change over time.

Initially the funds in the Operations Account are less than what is in the Treasury and the security is significantly enhanced. We elected for a 3 of 4 based on the fact this is more restrictive than the 1 of 3 currently in place on the Treasury account. If Set Labs wants more presences on the multi-sig we can add more people. If we we need Balance Specific skills, then I can reach out to a Balancer dev and add them temporarily to the multi-sig to launch the pool.

There are many ways to do this, we just need to be transparent and have open dialogue with the community.

Sharing some clarity here, appreciate the patience and conversation :pray:

There is no pushback on this specific proposal, as the outcome is creating 2 accounts with no funds.

Where it gets a bit stickier is around moving $20MM+ to Balancer Private Pool.

I will add specific comments there now ^

1 Like

Hi @anon10525910,

This is great news!

As both accounts are to be created without funds, what the TWG intends to do is present IIPs each time we wish to transfer capital into one of these accounts.

The initial Balancer Private Pool proposal may have been ambitious :slight_smile: .

We have since discussed starting with smaller sums of capital. In time, the TWG will demonstrate ability to manage capital and these account will grow to have significant AUM within them. I am looking forward to seeing the community vote on the proposal. Thank you everyone for all the help and feedback.

2 Likes

Pulling the comment here TWG - Request for Funding (1st July to 1st October) - #6 by Matthew_Graham so the convo is in one place…

@Matthew_Graham What day would you like it to run?

2 Likes

The vote has been called to start on Monday 7/12: Discord

I expect to queue it up tomorrow 7/9

1 Like

This has been communicated in the past, but I’m posting here for posterity.

Proposed Operations Wallet Next Steps

Depending on how much INDEX this account eventually ends up requesting (say, in excess of 2M USD), I’m suggesting the following path forward to ensure Treasury funds are managed safely:

Operations Wallet budget up to 2,000,000 USD in INDEX + stablecoins

The proposed multisig signer set up above includes many Coop leaders and will likely be one of the most secure wallets in the Coop. This alone warrants up to 2M USD in control to the wallet.

Nevertheless, wallet operators should spend this time setting up processes & documentation to ensure funds up to 2M USD are handled safely, multisig transactions are executed safely, and there is a process put in place to respond to any unexpected events (e.g. a 3rd party protocol hack).

Operations Wallet budget up to 8,000,000 USD in INDEX + stablecoins

Before the Operations wallet has been funded in excess of 2M USD, and up to 8M USD the Operations wallet team should:

  1. Demonstrate that they are effective custodians of treasury funds with at least a 3 month record of executing multisig transactions, sensibly deploying funds, and/or responding to unexpected events.
  2. Share with Index Coop community members their multisig transaction/fund management process.
    • This will allow security minded Coop contributor and smart contract developers to audit their process for potential weaknesses or exploits.

Operations Wallet budget in excess of 8,000,000 USD in INDEX + stablecoins

Before the Operations wallet has been funded in excess of 8M USD the Operations wallet team should:

  1. Demonstrate that they are effective custodians of treasury funds with at least a 6 month record of executing multisig transactions, sensibly deploying funds, and/or responding to unexpected events.

  2. Share with Index Coop community members their multisig transaction/fund management process.

    • Ideally this process should have evolved/been kept up-to-date with wallet security best practices since the previous budget cap approval.
  3. Add a senior smart contract developer to the team to complete risk analyses & audit code when deploying extremely large amounts of capital to any third party protocols.

Explanation
This gradual funding of the Operations wallet will inspire confidence in the community that Index Coop’s funds are being handled safely. There will undoubtedly be many opportunities to continually refine & improve the wallet management process as operators deepen their experience operating multisig wallets and are forced to react to unexpected events. Any exploits or attack vectors will also have the opportunity to be uncovered at earlier stages of funding. Ideally a considerably smaller amount of Treasury funds will be at risk if/when any exploits are found.

Exploits and vulnerabilities are the every day reality of DeFi protocols. Even extremely competent DeFi leaders can get caught.

The above are mere suggestions, the merit of any IIP requesting funding to the operations wallet is, as always, decided by INDEX token holders.

5 Likes

The Snapshot vote is queued: Snapshot

Start : Monday, July 12th at 11:00 am PT // 6:00 pm UTC
End : Thursday, July 15th @ 11:00 am PT // 6:00 pm UTC
Quorum : 96,149.70 INDEX [1,922,994 * 0.05]

2 Likes