Add an execute function directly to chief

[jparklev]

RFC

The idea is that, rather than vote on separate spell contracts that calls functions, you could vote on an id that represents a delegate call (eg hash(usr, fax, now)) and have chief itself make the call. Afterwards, chief could invalidate the id so that it can't be used again.

This would be a switch from voting on candidate addresses to voting directly on actions, which seems closer to how we've been using chief up until now. (It is clear that the original intention for the DS-Chief to serve as a database of role data was not intuitive with respect to the needs of the MKR holders.)

The current executive process would go from this

to this

Pros

• Allows us to enforce that each proposal is a single shot action (ie does a single thing once)
  • Encodes a conceptual model that's kind of been implicit until now: once what you've voted for passes, it's like you're voting for no change
• Changes chief from an authorizer to an actor (pro or con depending on pov)
• Reduces the need for repetitive spell code

(subjectively, voting on a specific action also feels more intuitive for MKR governance than voting on an address)

Cons

• With a delegate call, malicious proposals could mess with chief's storage slots
• Could clash with current contracts that rely on chief being an authority object
• Lose the ability to encode custom logic in spells (like expiration time, though that specific case is already handled by this chief)
• Lose the ability to store proposal metadata in spells (though there are clever ways you might still be able to store this in fax)
• Makes FV harder (cmiiw)

There are likely a few more pros and cons, so feel free to set me straight if I'm missing something.

[jparklev]

cc @gbalabasquer

[gbalabasquer]

Ok yeah, to be honest this "With a delegate call, malicious proposals could mess with chief's storage slots" terrifies me enough. It can be a very big problem as good actors will not have even the delay for protecting of having their deposited funds stolen. We might explore the idea of having a chief-proxy but that might start making the whole model too complex. I'm wondering if maybe we can make each vote a couple of address (pause address / spell action address), in that case we could implement schedule and cast directly in the chief without the need of delegatecall.

[jparklev]

It can be a very big problem as good actors will not have even the delay for protecting of having their deposited funds stolen

yea, this is the big problem. i know there was talk about removing the proxy from ds pause since, if a competent actor has gotten something malicious through, everything can get blown up regardless. But it is different when there's no pause first.

I'm not totally convinced that a chief proxy makes things too much more complex, but i certainly see why you wouldn't want the proxy pinball thing if you could avoid it.

And hmm, my initial take on adding a schedule call to chief directly was that it was a bit rigid (whatever pause-like think you'd want in the future would have to conform), but maybe that's fine actually. I'm going to mull this one over a bit more, but let me also cc everybody else to see if they have any thoughts @makerdao/smart-contracts

[gbalabasquer]

I'll work on a PR for proposing the schedule and cast options in the chief and we can do further discuss from there.

[gbalabasquer]

Closing this issue as it was mainly addressed in the latest versions. It isn't the chief making the final call to update the core contracts but still the whole process is executed via it.