Renew GateSeal for the Withdrawal Queue and Validator Exit Bus Oracle

zuzu_eeka · April 4, 2024, 9:01am

Tl;Dr

One of the parts of Lido V2 is GateSeal (GitHub - lidofinance/gate-seals: A one-time panic button for pausable contracts):

Initially, it’s been set up with an expiration date of 1 May 2024 (Lido V2 GateSeal Committee). The proposal seeks to prolong the functioning of the GateSeal mechanics for the following year.

Context

In essence, GateSeal allows to react to the unexpected in-protocol vulnerability. In the worst case of false-positive (pause contracts if no vulnerability is present), the potential downside is limited (only withdrawals get paused, and only by limited time). In that case, leaving the protocol the option to react faster-than-governance-flow seem to be a good call. In the future, committee-driven safety mechanics could be changed to a permissionless zk-proof system. Still, that future is quite far away: it requires both the maturing of production-level zk-based tech and the ossification of withdrawals part of the Lido on Ethereum.

Proposed decision

It’s proposed to use the new instance of the GateSeal Blueprint, deployed with GateSeal Factory:

GateSeal Blueprint: 0xEe06EA501f7d9DC6F4200385A8D910182D155d3e
GateSeal Factory: 0x6c82877cac5a7a739f16ca0a89c0a328b8764a24

The GateSeal Factory and GateSeal Blueprint contracts were audited during the V2 upgrade: GitHub - lidofinance/audits

The new instance of GateSeal will be deployed and announced under the post. The deployment verification by a third-party audit team will be posted before the on-chain voting as well.

The proposed parameters for the new GateSeal are:

Have the same list of sealables
- Withdrawal Queue (proxy): 0x889edC2eDab5f40e902b864aD4d7AdE8E412F9B1
- Validator Exit Bus Oracle (proxy): 0x0De4Ea0184c2ad0BacA7183356Aea5B8d5Bf5c6e
Use the same 3/6 multisig 0x8772E3a2D86B9347A2688f9bc1808A6d8917760C in the new GateSeal: Emergency Brakes | Lido Docs
Set the same activity duration of 1 year
Set the same pause duration of 6 days (518400 seconds)

Next steps

If the proposal is not opposed here on the forum, the snapshot voting starts on April 11.
If the snapshot voting is approved by the DAO, the on-chain voting starts on April 23.
Stay in touch and keep your keys ready to vote!

GateSeal Committee chores

To check the liveness and readiness of the GateSeal, if the proposal is approved by the Lido DAO, it’s additionally proposed to:

Rotate at least one of the current six signers
Hold a GateSealing drill by DAO Ops team no later than 30 June 2024

Next page for GateSeal: Dual Governance

It must be noted that the GateSeal needs to be tweaked to fit the Dual Governance design.
The proposed designed is outlined here (Dual Governance mechanism design overview - HackMD) but it could change after the internal reviews and audits.

kadmil · April 4, 2024, 9:02am

As a GateSeal signer I’m all for the proposal. Having a GateSeal sounds like a way better thing than not having it at this time.

TheDZhon · April 4, 2024, 1:18pm

Thank you for kicking off the process of the GateSeal renewal.

Having such a power-limited but important one-time panic button is good to mitigate highly hypothetical still should be considered catastrophic events.

I expect that for this to happen, it would require having not only a zk-proof system, but its complete formal verification on the level of bytecode and no more changes, e.g., for EVM itself, which is hard to guess when happens.

Therefore, to me, prolonging the GateSeal protection would be wise and prudent.

skozin · April 4, 2024, 1:18pm

Yeah, having an impact-limited circuit breaker seems pretty reasonable until the protocol is fully ossified. In the future, I see the following process of improving it:

Formulate a complete set of invariants that must be kept by the protocol and replace the committee-driven circuit breaker with an invariant-based circuit breaker, i.e. allow anyone who can prove a given state transition breaks an invariant to trigger the GateSeal.
Formally verify the protocol code on the bytecode level against these invariants, ossify the core protocol code, and remove the circuit breaker mechanism.

Both of these steps would require significant effort and time to be implemented but set the goals to pursue in the long run. Until then, I’d be for keeping the committee-driven GateSeal.

TheDZhon · April 11, 2024, 3:57pm

Hey there,
wanted to suggest a change in the LidoDAO GateSeal Committee as a part of the upcoming Snapshot voting

governance-data-bot · April 11, 2024, 4:16pm

Snapshot vote started

The Renew GateSeal for the Withdrawal Queue and Validator Exit Bus Oracle Snapshot has started! Please cast your votes before Fri, 19 Apr 2024 15:00:00 GMT

zuzu_eeka · April 12, 2024, 1:29pm

The new instance of GateSeal Blueprint was deployed: 0x79243345eDbe01A7E42EDfF5900156700d22611c

The parameters of the contract are:

sealing_committee == 0x8772E3a2D86B9347A2688f9bc1808A6d8917760C (it’s Lido V2 GateSeal Committee)
seal_duration_seconds == 518400 (it’s 6 days * 24 hours * 60 minutes * 60 seconds)
`sealables’ == 0x889edC2eDab5f40e902b864aD4d7AdE8E412F9B1 (Withdrawal Queue) and 0x0De4Ea0184c2ad0BacA7183356Aea5B8d5Bf5c6e (Validators Exit Bus Oracle)
expiry_timestamp == 1743465600 (it’s Tue Apr 01 2025 00:00:00 GMT+0000)
is_expired == false

Tane · April 15, 2024, 7:01pm

We vote FOR the proposal while we understand that having trust-minimized options for unexpected emergencies is crucial to keep the protocol safe and that Lido is still on the way to achieve making them into protocols as @TheDZhon explains here.

zuzu_eeka · April 17, 2024, 7:10pm

All deployments have been successfully validated by statemind.io, meaning that:

All audited commits match the deployed contracts fully.
All default configurations are correct.
The contracts are ready for use.

See note contents for more details.

governance-data-bot · April 19, 2024, 3:06pm

Snapshot vote ended

The Renew GateSeal for the Withdrawal Queue and Validator Exit Bus Oracle Snapshot has passed!
The results are:
For: 56.1M LDO
Against: 90 LDO

zuzu_eeka · April 23, 2024, 12:19pm

@skozin departed the GateSeal multisig, and their address 0x2CAE3a4D4c513026Ecc6af94A4BA89Df31c8cEA3 was rotated to @theDZhon (Lido on Ethereum protocol team) with address 0x59f8d74fe49d5ebeac069e3baf07eb4b614bd5a7.

zuzu_eeka · April 23, 2024, 2:19pm

The on-chain vote is started! Lido DAO Voting UI
The main phase will end on Apr 25, 2024 at 14:08 UTC!

Please, participate in the voting to change the GateSeal on the Withdrawal queue and Validator exit bus oracle contracts!

zuzu_eeka · April 26, 2024, 3:04pm

The vote was enacted successfully and the GateSeal has been changed! Thank you for casting your votes!

Topic		Replies	Views
Withdrawals for Lido on Ethereum Proposals	13	10691	March 29, 2023
Lido Validator Exits Policy (Draft for Discussion) Proposals	8	5248	May 12, 2023
Withdrawals: Automating Lido Validator Exits Proposals	10	7014	January 11, 2023
Lido Permissionless Withdrawals	1	4434	February 2, 2023
A mechanism for a good validator set maintenance by Nethermind Research [Phase II] [Completed]	2	1943	September 5, 2023