Temperature Check - Addressing Considerations for Multi-Sig Operations

Kene_StableLab · January 10, 2023, 6:29pm

Authors: @Kene_StableNode, @Bobbay & @fourpoops
Contributors: N/A
Status: RFC
Date Posted: 2023-01-10

References

How Should HOP compensate Multi-Sig Signers

Simple Summary

This is a temp check to begin discussing Hop’s Multi-Sig Operations. This a follow-up proposal to the “Temperature Check - How should HOP compensate Multi-Sig Signers” proposal, which has already been passed off-chain and on-chain by the community.

Abstract

Multi-Sig signers have solidified themselves as a vital part of the Hop Protocol’s operations; although Multi-Sig signers participate in varying degrees, this temp check is geared towards figuring out the details of how multi-sig signers are nominated, elected, term limits and gas rebates.

Motivation

This will clarify the process for joining, participating, and being removed from the Hop DAO multi-sig.

Specification

Nomination and Election
Term Limits
Gas Rebates
Removal

Nomination and Elections: Every six months, there will be a nomination process and subsequent election to replace the five Hop Multi-Sig Signers. A forum post thread shall be started where applicants indicate their interest in the role through a formal application stating:

Who they are.
Outlining their track record of reliability in previous roles.
How they contribute to the Hop Ecosystem.

The nomination process shall run for three days, after which a subsequent snapshot election will be held for five days; after the election, the top 5 applicants will become the new Hop Multi-Sig Signers.

Term Limits: We propose elected multi-sig signers serve on the multi-sig for months and can only be re-elected for one additional term; after a multi-sig signer serves two 6 months’ terms, they will be ineligible to be elected to the multi-sig again.

Gas Rebates: As ETH is spent to execute multi-sig transactions, we propose giving the multi-sig signers a $150 gas rebate fund; this way, a signer who executes a transaction can be refunded at the end of the month through this fund. We propose that this amount be paid out entirely in HOP.

Removal: If a signer fails to sign transactions four times in a row, the signer will be removed from the multi-sig, and a nomination/election process will be instituted to replace the signer.

To be eligible for a rebate, we propose that Multi-Sig Signers duplicate and use this Google Sheet template to track gas costs and present their addresses for the refund in an organized manner.

Annual Total Cost = $150 x 12 (Months) = $1,800

Any amount unutilized from the fund should be rolled over to the next month or year for subsequent rebates.

dybsy · January 10, 2023, 8:51pm

i like the idea of term limits. two six-month terms seems very reasonable. but you should build in some way to deal with an edge case where no new nominations are received in a given election period, because then, in the event all signers are term limited, then would be ineligible to serve, and there would be no multi-sig. very edge, but should be considered.

i think we should do some backtesting on the amount of gas expenditures over a 12- month period (assuming the first election would at the end of this June). $150 per month in gas rebate seems little high given most executions have been out of the Optimism safe.

what does failing to sign a transaction mean? i think we need discussion around this. none of the transactions initiated since inception have gone unsigned; however, they have, consistently, lingered for days before finally getting pushed. we need some sort of response period, and some way to delineate between who is failing to respond and who was just ‘beaten to the punch’ given only 3 of the 5 need to sign.

we also need to structure a transition plan, because rotating signers is an administrative task that requires adding and removing permissions in the safe, and the process should be rigid and documented to avoid, as best possible, any shenanigans.

fig · January 11, 2023, 3:31pm

I worry about this line as it can become a bit predatory:

With the frequency of multi-sig actions, four missed signatures could mean one sick day.

Instead of penalizing for missed signatures, reward those for consistent participation with a bonus.

I still see the merit in a guardrail to avoid signers becoming stale - but four is low.

This push is much like human psychology:

It is much more memorable and productive to tell someone when they are exhibiting good behaviors vs. telling them when they are wrong or have misstepped.

We can do so with incentives.

dybsy · January 11, 2023, 4:11pm

i agree with positive versus negative reinforcement. this same discussion came up about 3 community calls ago, and we discussed whether positive incentivization would promote careless signing; in other words, if we reward participation, then people will race to participate, which could take away from diligence in ensuring legitimacy of a proposed transaction.

Kene_StableLab · January 13, 2023, 1:11pm

Thank you for the feedback. I will work on a solution for a no-nomination edge case.

For gas rebates, we would definitely cut the number down since transactions can be executed in batches. How does $80 a month sound for a gas rebate budget?

I see your point about the failure to sign transactions; I will work on utilizing positive reinforcement to incentivize signers to act quickly.

Could you elaborate more on your vision for a transition plan?

Kene_StableLab · January 13, 2023, 1:12pm

I agree, and I will work to reinforce positive behaviour.

dybsy · January 13, 2023, 3:52pm

I don’t really have a vision for a transition plan; I was just pointing out that we should have a structured method to accomplish it. It could be as simple as (a) upon the election of multisig members, the incumbent multisig operators will expand the safe’s permissions to include any newly voted operators, and (b) the newly voted operators, once added to the safe, will alter the safe’s permissions to exclude operators who will no longer be operating the safe.

Just throwing it out there. It doesn’t matter what the language is, as long as it exists and there’s a time limit to get things done. We can’t have unauthorized people lingering in the Safe for long.

fourpoops · January 20, 2023, 9:32pm

I don’t think there should be term limits as long as nominations and votes are held every 6 months. In short order, we would be running through far too many people if we imposed term limits.

I don’t think there needs to be any clause for removal. Stats should be kept about each signer’s number of signatures in the 6 month period and displayed during elections. You can’t just remove someone if other signers get to signing transactions very quickly.

For gas rebates, does there need to be a budget? Why not just send a rebate for the exact amount of gas spent for each signer during 6 month payments?

Who will be running the nominations process? I think we need to define the responsibilities of the lead-signer and running the nomination/voting process seems like it needs to be a requirement.

fourpoops · January 20, 2023, 10:53pm

Here’s my take/edits on a proposal for multisig operations taking into account my questions/thoughts from above

Title: Community Multisig Operations for the Hop DAO

This proposal outlines the process for nomination, election, and compensation of multisig signers for the Hop DAO Community Multisig. The proposal aims to define the multisig’s goals and clarify the process for joining and participating in the Hop DAO multisig.

Nomination and Election

Every six months, there will be a nomination process and subsequent election to replace the five Hop DAO Community Multisig signers. Stats should be kept about incumbent signer’s number and speed of signatures in the 6 month period and displayed during elections. A forum post should be started where applicants indicate their interest in the role through a formal application stating:

Who they are
Outlining their track record of reliability in previous roles
How they contribute to the Hop Ecosystem

The nomination process should run for seven days with question and answer, after which a subsequent snapshot election will be held; after the election, the top 5 applicants will become the new Hop Multi-Sig Signers.

Responsibilities

The Community Multisig exists for the Hop DAO to transact faster and with more flexibility than can the full governance timelock. However, the multisig’s purpose should be to reduce its role in the DAO as much as possible.

The lead signer will be responsible for the overall management of the multisig and will be in charge of running the nomination and voting process. Other tasks taken on by the lead signer include initiating any/all transactions from the multisig, reminding other signers about pending transactions, verifying merkle roots, and other duties that may arise in the course of transacting via the multisig.

Compensation:

Salary: As per HIP-12, the lead signer of the multisig is paid $3,000 twice a year, which is an annual salary of $6,000 and each of the other multisig signers are paid $1,500 twice a year. Annual Total Cost for the DAO = $6,000 + ($3,000 x 4) = $18,000

Gas Rebates: As ETH is spent to execute multisig transactions, we propose that each signer is reimbursed for the exact amount of gas spent during the 6 month term. To be eligible for a rebate, we propose that signers use a Google Sheet template to track gas costs. A dune dashboard or other data query can replace this.

Kene_StableLab · January 23, 2023, 12:02pm

Thank you for the feedback regarding the 6-month duration, term limits and grounds for removal, I see your point, and I agree.

Regarding gas rebates, I believe a budget would give us a good sense of how much is spent on transactions over time; I don’t think there’s a downside to the budget aspect.

I agree with the point of the Lead Signer conducting the nomination process; I appreciate you editing the proposal, I will review and include some parts in the next stage of this proposal, and I will give you credit as well.

fourpoops · January 23, 2023, 1:38pm

The downside to the budget is that it’s an extra step to manage that isn’t necessary. The signers will have to be counting their gas expenditures anyway, I don’t think we’ll have any worse of a sense of how much is being spent on transactions

dybsy · January 25, 2023, 6:35pm

my only comment is that adding more responsibility to the lead multi-sig position deserves a commensurate increase in their compensation. i already think the 2:1 allocation is too low.

Kene_StableLab · January 31, 2023, 2:23pm

I see your point @dybsy

I think we should leave the compensation as it is and review the compensation at the end of the first cycle of the compensation program. This way we can test out the current approach and have a strong basis for changing the compensation numbers.