Hello! We are blockful, a DAO governance security company.
One of the criteria we use to evaluate the security of a DAO is the analysis of its Security Council.
From a governance perspective, the Security Council is used to block malicious proposals. However, L2s and protocols also use it to prevent attacks on their infrastructure. Compound, for example, has a Guardian with the power to pause its markets and/or block the execution of an approved proposal, all with the goal of protecting the protocol.
As we participate in the Security Councils of ENS and Superfluid and actively study the adoption of this mechanism in the market, we would like to contribute to the answers to the Open Questions.
What emergency thresholds should explicitly trigger Guardian authority?
Usually, the Guardian’s authority is not limited to specific types of incidents, but rather to specific contract functions within a protocol. Compound’s Guardian, for example, is limited to Supply, Transfer, and Withdraw functions for users, and Absorb and Buy functions for the protocol, in addition to having the power to block the execution of proposals.
In our analysis, Lazy Summer should adopt a similar approach, given that it has a comparable business model and that this Guardian model has already been validated in production.
Should Guardian actions automatically expire after a fixed time window?
This is the best way to avoid leaving a Guardian with permanent power over Lazy Summer’s contracts. This renewal usually happens every two years (as in ENS) or annually (as in Compound or Arbitrum).
However, there is a problem: if governance (or the protocol itself) is captured by a malicious attacker, the Guardian may lose its powers and be prevented from acting once it expires.
An example: in Compound, protocol governance was captured by a well-known DAO attacker called Humpy. He holds enough power to block proposals in Compound. After the expiration of the Compound Guardian, Humpy, together with dozens of wallets controlled by him, blocked the proposal to renew the Guardian members’ compensation. We do not know why he did not block the renewal of the Guardian’s powers as well, but he could potentially have done so if he wanted.
Therefore, setting an annual or biannual expiration for the Guardian is good practice. The power should not be permanent. However, there is a risk that, if governance or the protocol is captured, the Guardian may no longer be able to prevent attacks. For this reason, it is important not to rely solely on the Guardian and to treat governance and protocol security as an ongoing concern.
What is the optimal multisig size (5, 6, 7+) and a rule set (3/5, 4/6)?
A good standard to follow for multisigs is the one proposed by L2BEAT. It requires meeting a set of criteria such as:
-
at least 8 members,
-
a 75% signing threshold,
-
publicly announced members, and
-
a subjective assessment of member selection.
Point (4) is especially about how diverse the Security Council composition should be and the current regulatory situation of the participating members in the multisig.
Therefore, a 6/8 or 5/7 multisig is sufficient for Lazy Summer’s Guardian. A 6/8 setup is generally adequate.
There are much larger multisigs, such as those used by Arbitrum and Optimism to secure their L2 Security Councils. However, given Lazy Summer’s TVL and the need for operational agility, having more than 10 signers would become impractical.
How should Guardian replacement or removal be handled?
Arbitrum’s Security Council provides a good framework that can be adopted or used as a reference for building Lazy Summer’s Guardian, mainly due to three aspects:
-
a contract for member management,
-
a contract for member removal,
-
a contract for managing the Guardian/Security Council’s powers over the protocol.
Given Arbitrum’s TVL, it made sense to build such a structured Security Council. The idea here is for Lazy Summer to use this model as inspiration to build its own Guardian.
Should Guardians receive explicit compensation for this role?
Yes, compensation is necessary to incentivize Guardian participants to commit to Lazy Summer’s security and to attract members with sufficient technical expertise to manage a multisig in extreme situations, evaluate risks, and decide when Guardian intervention is necessary.
Not compensating Guardians may attract people interested in capturing Lazy Summer or create stronger incentives for Security Council members to be “captured” by malicious actors, encouraging them not to block an approved proposal or not to pause a vulnerable market in the protocol.