IIP-64: Methodologist Smart Contract Permissioning

Title: IIP-64 - Methodologist Smart Contract Permissioning
Status: Proposed
Author: @darkforestcapital
Created: July 30, 2021

Simple Summary

Following conversations with both methodologists and the community, we have aligned on the types of permissioning we want to give external methodologists over Index Coop products at the Smart Contract level.

This IIP will provide external methodologists security that the negotiated fee, fee split amount, and fee recipient address cannot be changed without their on-chain approval.

Abstract

Upgrade previous Manager Contracts to provide security that the negotiated fee, fee split amount, and fee recipient address cannot be changed without their on-chain approval. Additionally, have this as an option for all future methodologists.

Motivation

Every Index Coop product has what is called a “Manager Contract” [purposefully omitting details for clarity]. The Manager Contract generally defines key aspects of the product such as the methodologist address, fee, fee splits, and product specification/implementation [i.e. rebalancing logic, intrinsic productivity, metagov, etc].

Currently, for DPI, there is a 2/2 multisig control for changes that can be made on the manager contract. This means that any edit Set/Index Coop wants to make to how the DPI product works, requires the methodologist’s signature.

With the assumption that methodologists want less operational exposure, and to enable rapid technical improvements to our products, the FLI suite of products has removed that multisig requirement, and given Index Coop full control over product specifications. This means that the Coop can unilaterally control all the aspects mentioned above without needing a multisig transaction with another party.

DFP recently learned about this as Set wanted to upgrade DPI’s manager contract to the same one FLI uses. In our view, as a methodologist, they were naturally concerned about the changing permissions as it lets Index Coop arbitrarily change core aspects of the product, like fees, which makes it much harder for them to build a sustainable business.

While Set certainly understands their perspective on wanting increased permissioning, Set feels uncomfortable making the decision on what permissions a methodologist should or should not have without first consulting the community. We recognize that the initial set of permissions set on the DPI were not made with community input and want to make sure the community is involved as a key stakeholder in setting the standard going forward.

This conversation was opened up to the community and @BigSky7 and @verto0912 were chosen as Index Coop representatives to reach a resolution here. Both DeFi Pulse and Titans of Data have expressed their desire to have permissioning ensuring security around fee amounts and fee splits such that it can not be unilaterally changed by either the Methodologist or the Index Coop. Upon internal discussion, we decided we were happy to meet our external Methodologists here.

Specification

Change the existing Manager Contracts to remove the ability for Index Coop to change the fee, fee split, and fee recipient amounts without approval from the methodologist.

Update it such that both the Index Coop and any external methodologist need to approve any changes related to those previous 3 parameters.

FOR

  • Update the Manager Contracts such that the Index Coop and the External Methodologist both need to approve possible changes to fee, fee split, and fee recipient”

AGAINST

  • Do not update the Manager Contracts – the Index Coop remains in total control of the* fee, fee split, and fee recipient amounts without approval from the methodologist.
10 Likes

Wrapping my head around the actual vote/outcome in the case of passage…

is the FOR vote

“Update the Manager Contracts such that the Index Coop and the External Methodologist both need to approve possible changes to fee, fee split, and fee recipient”

and then the AGAINST vote

“Do not update the Manager Contracts – the Index Coop remains in total control of the* fee, fee split, and fee recipient amounts without approval from the methodologist.”

4 Likes

Yup, we can update the language here to make it clear when moving to proposed

3 Likes

Strongly in favor and will be happily voting FOR this change.

Strongly in favor - will vote FOR!

Thanks for the work on this! FOR

1 Like

Hey @Pepperoni_Joe would you mind moving this to proposed and assigning a number?

1 Like

I have updated this as IIP-64 and changed status to proposed.

Creating a discord channel next :+1:

1 Like

:triangular_flag_on_post: IIP-64 accidentally went live for voting with the incorrect title.

After obtaining approval from the author, and due to the confusion this would cause, I have deleted the Snapshot vote.

At time of deletion, only 1 INDEX has been cast.

Stay tuned for next steps – should be made clear tomorrow when folks are awake and online :sunny:

3 Likes

this vote went live earlier today

https://snapshot.org/#/index-coop.eth/proposal/QmVSHoBfYAeqyJ42UoEEQfSCDNBBSBD4MgAvExLwQxyaFQ

[just the messenger :mailbox_with_mail: ]

1 Like

Confirming this IIP has successfully passed :ballot_box_with_check:

3 Likes

Hey guys, following up on this conversation here.

Our initial spec for implementing this is here: Manager Permissions Summary - Google Docs

What is important to note is that there are security considerations the product team has to consider. For example, the ability to remove a module in an emergency situation where there is a bug in the contract. We encourage the Coop to treat this as a non-negotiable requirement. We’ve designed a number of additional actions that limit the Operator’s power in such situations.

The spec above and the ITIP linked at the bottom go through our thinking in detail.

Tagging relevant methodologies for visibility: @snasps @Thomas_Hepner @Jo_K
Tagging relevant PWG members to continue the conversation: @overanalyser @catjam @Cavalier_Eth

5 Likes

Hey @puniaviision - thanks for following up!

After our conversation today, Kiba and I both reviewed the ITIP.

We have no major concerns, but do have a few quick questions:

  1. Are there plans to do a security audit on the manager system?

  2. For resolveEmergency can we specify which emergency/module or is it intended to be a global reset?

Otherwise, looks good!