Renew GateSeal for the Withdrawal Queue and Validator Exit Bus Oracle

Tl;Dr

One of the parts of Lido V2 is GateSeal (GitHub - lidofinance/gate-seals: A one-time panic button for pausable contracts):

Initially, it’s been set up with an expiration date of 1 May 2024 (Lido V2 GateSeal Committee). The proposal seeks to prolong the functioning of the GateSeal mechanics for the following year.

Context

In essence, GateSeal allows to react to the unexpected in-protocol vulnerability. In the worst case of false-positive (pause contracts if no vulnerability is present), the potential downside is limited (only withdrawals get paused, and only by limited time). In that case, leaving the protocol the option to react faster-than-governance-flow seem to be a good call. In the future, committee-driven safety mechanics could be changed to a permissionless zk-proof system. Still, that future is quite far away: it requires both the maturing of production-level zk-based tech and the ossification of withdrawals part of the Lido on Ethereum.

Proposed decision

It’s proposed to use the new instance of the GateSeal Blueprint, deployed with GateSeal Factory:

• GateSeal Blueprint: 0xEe06EA501f7d9DC6F4200385A8D910182D155d3e
• GateSeal Factory: 0x6c82877cac5a7a739f16ca0a89c0a328b8764a24

The GateSeal Factory and GateSeal Blueprint contracts were audited during the V2 upgrade: GitHub - lidofinance/audits

The new instance of GateSeal will be deployed and announced under the post. The deployment verification by a third-party audit team will be posted before the on-chain voting as well.

The proposed parameters for the new GateSeal are:

• Have the same list of sealables
  • Withdrawal Queue (proxy): 0x889edC2eDab5f40e902b864aD4d7AdE8E412F9B1
  • Validator Exit Bus Oracle (proxy): 0x0De4Ea0184c2ad0BacA7183356Aea5B8d5Bf5c6e
• Use the same 3/6 multisig 0x8772E3a2D86B9347A2688f9bc1808A6d8917760C in the new GateSeal: Emergency Brakes | Lido Docs
• Set the same activity duration of 1 year
• Set the same pause duration of 6 days (518400 seconds)

Next steps

If the proposal is not opposed here on the forum, the snapshot voting starts on April 11.
If the snapshot voting is approved by the DAO, the on-chain voting starts on April 23.
Stay in touch and keep your keys ready to vote!

GateSeal Committee chores

To check the liveness and readiness of the GateSeal, if the proposal is approved by the Lido DAO, it’s additionally proposed to:

• Rotate at least one of the current six signers
• Hold a GateSealing drill by DAO Ops team no later than 30 June 2024

Next page for GateSeal: Dual Governance

It must be noted that the GateSeal needs to be tweaked to fit the Dual Governance design.
The proposed designed is outlined here (Dual Governance mechanism design overview - HackMD) but it could change after the internal reviews and audits.

As a GateSeal signer I’m all for the proposal. Having a GateSeal sounds like a way better thing than not having it at this time.

Thank you for kicking off the process of the GateSeal renewal.

Having such a power-limited but important one-time panic button is good to mitigate highly hypothetical still should be considered catastrophic events.

I expect that for this to happen, it would require having not only a zk-proof system, but its complete formal verification on the level of bytecode and no more changes, e.g., for EVM itself, which is hard to guess when happens.

Therefore, to me, prolonging the GateSeal protection would be wise and prudent.

Yeah, having an impact-limited circuit breaker seems pretty reasonable until the protocol is fully ossified. In the future, I see the following process of improving it:

1. Formulate a complete set of invariants that must be kept by the protocol and replace the committee-driven circuit breaker with an invariant-based circuit breaker, i.e. allow anyone who can prove a given state transition breaks an invariant to trigger the GateSeal.
2. Formally verify the protocol code on the bytecode level against these invariants, ossify the core protocol code, and remove the circuit breaker mechanism.

Both of these steps would require significant effort and time to be implemented but set the goals to pursue in the long run. Until then, I’d be for keeping the committee-driven GateSeal.

Hey there,
wanted to suggest a change in the LidoDAO GateSeal Committee as a part of the upcoming Snapshot voting

Snapshot vote started

The Renew GateSeal for the Withdrawal Queue and Validator Exit Bus Oracle Snapshot has started! Please cast your votes before Fri, 19 Apr 2024 15:00:00 GMT

The new instance of GateSeal Blueprint was deployed: 0x79243345eDbe01A7E42EDfF5900156700d22611c

The parameters of the contract are:

• sealing_committee == 0x8772E3a2D86B9347A2688f9bc1808A6d8917760C (it’s Lido V2 GateSeal Committee)
• seal_duration_seconds == 518400 (it’s 6 days * 24 hours * 60 minutes * 60 seconds)
• `sealables’ == 0x889edC2eDab5f40e902b864aD4d7AdE8E412F9B1 (Withdrawal Queue) and 0x0De4Ea0184c2ad0BacA7183356Aea5B8d5Bf5c6e (Validators Exit Bus Oracle)
• expiry_timestamp == 1743465600 (it’s Tue Apr 01 2025 00:00:00 GMT+0000)
• is_expired == false

We vote FOR the proposal while we understand that having trust-minimized options for unexpected emergencies is crucial to keep the protocol safe and that Lido is still on the way to achieve making them into protocols as @TheDZhon explains here.

All deployments have been successfully validated by statemind.io, meaning that:

• All audited commits match the deployed contracts fully.
• All default configurations are correct.
• The contracts are ready for use.

See note contents for more details.

Snapshot vote ended

The Renew GateSeal for the Withdrawal Queue and Validator Exit Bus Oracle Snapshot has passed!
The results are:
For: 56.1M LDO
Against: 90 LDO

• @skozin departed the GateSeal multisig, and their address 0x2CAE3a4D4c513026Ecc6af94A4BA89Df31c8cEA3 was rotated to @theDZhon (Lido on Ethereum protocol team) with address 0x59f8d74fe49d5ebeac069e3baf07eb4b614bd5a7.

The on-chain vote is started! Lido DAO Voting UI
The main phase will end on Apr 25, 2024 at 14:08 UTC!

Please, participate in the voting to change the GateSeal on the Withdrawal queue and Validator exit bus oracle contracts!

The vote was enacted successfully and the GateSeal has been changed! Thank you for casting your votes!

GateSeal drill report
As proposed, the GateSeal drill took place on June 5th.
The drill’s goal was to check the Committee’s liveness and readiness, i.e., to ensure that the Committee members understand their responsibilities in case of emergency and have their keys at hand.
During the drill, the GateSeal Committee members were alerted of a presumed vulnerability in the Lido smart contracts. They had to act accordingly: communicate to get all the signers online, decide on the required actions, and apply the GateSeal by creating, checking, and sending a SAFE transaction from the Committee multisig.
The drill was successful, and all the signers were within reach and responsive. All the planned activities, from start to finish, took slightly under 25 minutes, meeting expectations regarding the GateSeal Committee response time. In the case of an actual emergency, the response time can be even better because of some specific technical imperfections of the testnet setup (e.g., lack of proper call data decoding in the SAFE UI).
After the drill, the GateSeal on the Holesky testnet was lifted, and the testnet setup resumed its regular functionality.
Huge thanks to all the participants and Committee members! We can sleep a little better from now on (but not everyone at once, please).

it’s a good idea

• All audited commits match the deployed contracts fully.