makerdao / pe-checklists

Protocol Engineering Checklists
GNU Affero General Public License v3.0
26 stars 9 forks source link

Outline blocking dependencies on centralised tools (e.g. etherscan) #29

Open SidestreamColdMelon opened 6 months ago

SidestreamColdMelon commented 6 months ago

Goal

Checklists do not enforce processes that are blocked in case a single service is down

Context

Recently, spell team experienced downtime of etherscan, which caused a multi-hour delay in the spell handover and later confusion among delegates on why contract is not verified on etherscan. The delay was resolved by unanimous agreement within the spell team to proceed with an alternative verifier service and later still use etherscan to verify contract and resolve the confusion. Another reason to not depend on a single service is of course security: it's much easier to compromise a single crucial service documented in the process, than try to attack multiple independent services at the same time.

In order to prepare to such events, we should 1) evaluate existing dependencies 2) evaluate potential circumventions 3) proceed with removing dependencies one-by-one.

Todo

SidestreamColdMelon commented 6 months ago

Existing dependencies found in the checklists / known processes

SidestreamColdMelon commented 6 months ago

Potential circumventions

Most used services are not lock-in (e.g.: git, ipfs, xlsx, messaging) to circumvent their offline/compromised state we can just pre-define their alternatives. Less portable are spreadsheet comments, github PR reviews and discord channels as they have additional permissions attached to them. The most centralized services that does not have easily interchangeable alternatives are etherscan.io and tenderly.co.

  1. Pre-define alternative services / communication channels. Applicable to:

    • Exec Sheet hosted on https://docs.google.com/spreadsheets/
      • [ ] Define a process in which instructions (e.g. raw xlsx file) can be sent over a group message or hosted on a different server if google docs are down
    • All repositories hosted on http://github.com
      • [ ] Mirror existing repositories into another git providers, use CI to keep them in sync
    • Source code verified on https://etherscan.io
      • [ ] Use multiple different services to verify the source code
    • Rates hosted on https://ipfs.io
      • [ ] Define different trusted ipfs gateways
  2. Where possible, use local tools instead of services. Explicitly mark service-based checks as additional/non-blocking. Applicable to:

    • CI tests on http://github.com
      • [ ] Define this step as additional (as we're already running tests locally) or use 2 other CI providers
    • References to other repos at http://github.com
      • [ ] Write a script to pre-fetch all referenced repositories locally
    • Timestamp converter on https://www.epochconverter.com
      • [ ] Replace with local converter command / script which is part of the repo
  3. Replace non-portable linked resources (PR comments / issues / releases / wikis and other information stored outside git) with git or ipfs. Applicable to:

  4. Use on-chain registry of the team + attestations for the most security-crucial operations. Applicable to:

SidestreamColdMelon commented 6 months ago

First specific issue for etherscan is created: https://github.com/makerdao/pe-checklists/issues/31

0xp3th1um commented 3 weeks ago

I am making a few comments below in order to move forward with this. I think each topic should be taken into consideration separately in a different issue/thread.