cosmos / cosmos-sdk

:chains: A Framework for Building High Value Public Blockchains :sparkles:
https://cosmos.network/
Apache License 2.0
6.27k stars 3.63k forks source link

Expedited Governance Proposal Option #10014

Closed iramiller closed 2 years ago

iramiller commented 3 years ago

Summary

An expedited governance proposal flow would allow for governance proposals to be passed with a much shorter duration when a higher majority level is reached. This feature would allow for coordinated execution prior to submission of a governance proposal in response to security related software upgrades as one example.

Problem Definition

Currently the long voting window is used to provide ample opportunity for users to review governance proposals and vote appropriately to express their opinion on a measure. While this is the expected and desirable behavior, it breaks down in cases where the network needs to respond immediately to threats or vulnerabilities.

The expedited governance proposal option would add a capability for a network to respond rapidly during emergency situations while balancing protection of rights against abuse where a proposal is pushed through quickly without time for proper debate. This can be achieved by providing an additional governance controlled set of parameters that establish a much higher level of approval such as a 67% majority or similar value appropriately chosen by the network.

Today when a severe vulnerability is uncovered the validator community can discuss an upcoming update in private and prepare an update but it is difficult to do this in a way that does not leak advanced warning for someone to prepare an attack against the network while this is occurring. As the value of assets increase further it is conceivable that even one of the individuals associated with an existing validator in these private channels may be tempted to leverage information to mount an attack before a mitigation is in place.

In addition the increased use of the upgrade module and cosmovisor processes to automatically rollout updates has created an environment where the best approach is to use on chain software upgrades in the standard flow and avoid alternative approaches (such as a coordinated halt height).

Proposal


For Admin Use

iramiller commented 3 years ago

Potential Concerns Discussed During Initial Architecture Review Introduction

robert-zaremba commented 3 years ago

CC: @sunnya97 - you might be interested to comment on this.

robert-zaremba commented 3 years ago

Things to specify:

sunnya97 commented 3 years ago

An alternative that I would like is that a voting period can be made shorter but my providing a much larger deposit.

iramiller commented 3 years ago

voting period can be made shorter but my providing a much larger deposit.

An increased fee makes a lot of sense to bond for the increased exigency risk. This fee level along with the other parameters for increased quorum levels, durations of vote, etc would all need to be made available for chains to tailor.

Ultimately the structure of this proposal points towards the idea that you can have a straight forward vote on a proposal as we have today ... or you can post a higher bond and meet a higher standard of quorum with an increased opportunity for veto as a useful tool for an emergency response.

iramiller commented 3 years ago

@sunnya97 / @robert-zaremba ... during the process of working through an ADR for this I realized that the solution to the problem was a bit more generalizable than my first take lead me to believe. Overall I feel that the answer to an emergency process, a standard governance process, and possibly other less critical processes is that each should have the option of tailoring the configuration accordingly. Per the ADR draft that I started my proposed solution now is to capture all of the voting/proposal configuration properties into a named profile such that existing values can become the default and each network can add additional profiles that are appropriate for their specific needs.

This approach I feel also would integrate well with the upcoming migration to a msg dispatch based approach for governance proposals. One obvious hole that I have not resolved is that if the end point of a proposal is variable (proposal closes when threshold is met) then in some cases it would be difficult to properly execute the payload of the proposal... for example a software upgrade proposal needs an upgrade blockheight.

Hopefully my draft ADR can spur some additional engagement as this issue is kind of languishing right now.

clevinson commented 2 years ago

From @iramiller during our architecture review call today - most of this can be taken care of with decision policy (in the upcoming gov/group module alignment work).

The only remaining issue is that all stakers can not vote on groups right now, but the work that is in #9438 gets him what he was looking for.

robert-zaremba commented 2 years ago

I don't see a clear win of Expedited Governance over a hot update with validators / hard fork.