One more thought: given that we currently see no way around having the Tiebreaker Committee, maybe having the balance snapshotting mechanism is not so critical?
The balance snapshotting mechanism, i.e. the calculation of veto power as min(current stETH balance, stETH balance X days ago) was introduced to protect from an attacker exploiting a potential unbacked minting vulnerability following this scenario:
- An attacker finds the vulnerability and mints a huge stETH amount (say, more than the current total supply) without providing the proportional amount of ETH.
- They immediately use this stETH to trigger Veto Signalling, blocking the DAO from deploying any fix.
- After the Veto Signalling maximum duration passes, the Rage Quit starts since the signalling escrow contains more than the second threshold stETH.
- As the result of the Rage Quit, the attacker steals the whole protocol TVL in ETH.
Calculating veto power as a minimum from current and past stETH balances would require the attacker to mint the unbacked stETH X days before using it in the veto and thus give the protocol governance the time to react, pause the protocol and deploy a fix:
- An attacker finds the vulnerability and mints a huge stETH amount without providing the proportional amount of ETH. Due to the balance snapshotting mechanism, they have to wait at least X days before being able to use it in veto, where X exceeds the time required for the DAO to approve and execute a proposal.
- The Gate Seal committee notices the exploit and pauses withdrawals.
- The DAO prepares, approves, and executes a proposal fixing the vulnerability and unpausing withdrawals before Gate Seal-induced withdrawals pause elapses.
However, in the presence of the Tiebreaker Committee, the DAO, the Gate Seal committee, and the Tiebreaker committee can cooperate and execute a recovery from this attack even in the absence of balance snapshotting:
- An attacker finds a vulnerability and mints a huge stETH amount without providing the proportional amount of ETH.
- They immediately use this stETH to trigger Veto Signalling, blocking the governance from deploying any fix.
- The Gate Seal committee notices the exploit and pauses withdrawals. Since DAO execution is currently blocked, the pause will last until it’s unblocked.
- After the Veto Signalling maximum duration passes, the Rage Quit starts. Since withdrawals are paused, this leads to a governance/withdrawals deadlock and thus the Tiebreaker Committee gains the power of executing any DAO-approved decision.
- The DAO prepares and approves a proposal fixing the vulnerability and unpausing withdrawals. In contrast to the balance snapshotting scenraio, the DAO is not strictly time-constrained in preparing and deploying the fix since withdrawals are not getting automatically unpaused.
- The Tiebreaker Committee executes the proposal.
The downsides:
- As the result of an attack, protocol users experience a prolonged pause in withdrawals that can easily last months.
- Intervention from the Tiebreaker Committee is required.
However, given that the Tieberaker Committee is needed for other reasons anyway, that a vulnerability allowing unbacked stETH minting is already a doomsday scenario, and that stETH remains backed in the end, maybe this is an acceptable compromise. The upsides of removing the balance snapshotting are significant:
- Allows users having stETH deposited in DeFi protocols and CeFi services to participate in veto (by withdrawing to stETH/wstETH first).
- Significantly simplifies the DG implementation.
- Improves the UX for participants since no access to an archival Ethereum node is required anymore.
WDYT?