Closed jparklev closed 3 years ago
cc @gbalabasquer
Ok yeah, to be honest this "With a delegate call, malicious proposals could mess with chief's storage slots" terrifies me enough. It can be a very big problem as good actors will not have even the delay for protecting of having their deposited funds stolen. We might explore the idea of having a chief-proxy but that might start making the whole model too complex.
I'm wondering if maybe we can make each vote a couple of address (pause address / spell action address), in that case we could implement schedule
and cast
directly in the chief
without the need of delegatecall
.
It can be a very big problem as good actors will not have even the delay for protecting of having their deposited funds stolen
yea, this is the big problem. i know there was talk about removing the proxy from ds pause since, if a competent actor has gotten something malicious through, everything can get blown up regardless. But it is different when there's no pause first.
I'm not totally convinced that a chief proxy makes things too much more complex, but i certainly see why you wouldn't want the proxy pinball thing if you could avoid it.
And hmm, my initial take on adding a schedule
call to chief directly was that it was a bit rigid (whatever pause-like think you'd want in the future would have to conform), but maybe that's fine actually. I'm going to mull this one over a bit more, but let me also cc everybody else to see if they have any thoughts @makerdao/smart-contracts
I'll work on a PR for proposing the schedule
and cast
options in the chief and we can do further discuss from there.
Closing this issue as it was mainly addressed in the latest versions. It isn't the chief making the final call to update the core contracts but still the whole process is executed via it.
RFC
The idea is that, rather than vote on separate spell contracts that calls functions, you could vote on an id that represents a delegate call (eg
hash(usr, fax, now)
) and have chief itself make the call. Afterwards, chief could invalidate the id so that it can't be used again.This would be a switch from voting on candidate addresses to voting directly on actions, which seems closer to how we've been using chief up until now. (It is clear that the original intention for the DS-Chief to serve as a database of role data was not intuitive with respect to the needs of the MKR holders.)
The current executive process would go from this
to this
Pros
(subjectively, voting on a specific action also feels more intuitive for MKR governance than voting on an address)
Cons
fax
)There are likely a few more pros and cons, so feel free to set me straight if I'm missing something.