MKR transferred directly to the proxy can only be withdrawn back to the "cold" wallet, not locked straight into the voting contract

makerdao / vote-proxy

ds-chief mkr proxy voting with a hot/cold wallet

GNU Affero General Public License v3.0

10 stars 30 forks source link

MKR transferred directly to the proxy can only be withdrawn back to the "cold" wallet, not locked straight into the voting contract #6

Open MicahZoltu opened 5 years ago

MicahZoltu commented 5 years ago

If you transfer MKR directly to the VoteProxy, it will get "stuck" and be unusable for voting until you call proxy.freeAll, at which point it'll be refunded to the cold wallet.

This could be fixed by changing: https://github.com/makerdao/vote-proxy/blob/ebd7b2f484bc18d42563b443fbad05702d0abb38/src/VoteProxy.sol#L30-L33

to:

function lock(uint256 wad) public auth {
    gov.pull(cold, wad);
    chief.lock(gov.balanceOf(this));
}

Such a change will make it so the next time someone calls lock(0), it will include any MKR held by the proxy contract directly.

Note: It should be verified that gov.pull(cold, 0); will not error. If it does, a different solution would be called for.

nmushegian commented 5 years ago

It should be verified that gov.pull(cold, 0); will not error. If it does, a different solution would be called for.

Hmm, I think it does.

Seems like using balanceOf(this) and pushing to the owner on free is the right approach after all

nmushegian commented 5 years ago

Another approach is a function like clear or top-up which does only chief.lock(gov.balanceOf(this));

MicahZoltu commented 5 years ago

For reasons outside of the specific issue of "accidentally inaccessible funds", I would like to see a solution that makes sending MKR directly to VoteProxy a viable strategy.

Imagine you use paper wallets for cold storage. Currently, you cannot use VoteProxy because you cannot call gov.approve(vote_proxy, ...) from the paper wallet without burning it, at which point your funds are no longer secure. If there was a function that allowed you to chief.lock(gov.balanceOf(this)) then you could do something like:

Create new_paper_wallet.
Create vote_proxy pointing at hot_wallet and new_paper_wallet.
Transfer MKR from old_paper_wallet to vote_proxy (burning old_paper_wallet in the process).
Use hot_wallet to trigger locking of the MKR that is in vote_proxy.

You would end up with an un-burned paper wallet (new_paper_wallet) being the indirect owner of the assets.

nmushegian commented 5 years ago

Latest consensus is

lock uses gov.balanceOf(this)

add rake:

    function rake(uint256 wad) public auth {
        chief.lock(wad);       // mkr out, ious in
    }

Will put a PR in the morning.

MicahZoltu commented 5 years ago

What is the reasoning behind rake taking a parameter? Why not have it just lock everything in the contract? What is the scenario where you would not want rake to lock everything?

nmushegian commented 5 years ago

What is the scenario where you would not want rake to lock everything?

Same discussion as explicit lock/free in https://github.com/makerdao/vote-proxy/pull/8

Hopefully that PR supersedes this whole issue