Renew GateSeal for the Withdrawal Queue and Validator Exit Bus Oracle

Tl;Dr

One of the parts of Lido V2 is GateSeal :shinto_shrine: (GitHub - lidofinance/gate-seals: A one-time panic button for pausable contracts):

Initially, it’s been set up with an expiration date of 1 May 2024 (Lido V2 GateSeal Committee). The proposal seeks to prolong the functioning of the GateSeal mechanics for the following year.

Context

In essence, GateSeal allows to react to the unexpected in-protocol vulnerability. In the worst case of false-positive (pause contracts if no vulnerability is present), the potential downside is limited (only withdrawals get paused, and only by limited time). In that case, leaving the protocol the option to react faster-than-governance-flow seem to be a good call. In the future, committee-driven safety mechanics could be changed to a permissionless zk-proof system. Still, that future is quite far away: it requires both the maturing of production-level zk-based tech and the ossification of withdrawals part of the Lido on Ethereum.

Proposed decision

It’s proposed to use the new instance of the GateSeal Blueprint, deployed with GateSeal Factory:

The GateSeal Factory and GateSeal Blueprint contracts were audited during the V2 upgrade: GitHub - lidofinance/audits

The new instance of GateSeal will be deployed and announced under the post. The deployment verification by a third-party audit team will be posted before the on-chain voting as well.

The proposed parameters for the new GateSeal are:

Next steps

If the proposal is not opposed here on the forum, the snapshot voting starts on April 11.
If the snapshot voting is approved by the DAO, the on-chain voting starts on April 23.
Stay in touch and keep your keys ready to vote! :old_key:

GateSeal Committee chores

To check the liveness and readiness of the GateSeal, if the proposal is approved by the Lido DAO, it’s additionally proposed to:

  • Rotate at least one of the current six signers
  • Hold a GateSealing drill by DAO Ops team no later than 30 June 2024

Next page for GateSeal: Dual Governance

It must be noted that the GateSeal needs to be tweaked to fit the Dual Governance design.
The proposed designed is outlined here (Dual Governance mechanism design overview - HackMD) but it could change after the internal reviews and audits.

10 Likes

As a GateSeal signer I’m all for the proposal. Having a GateSeal sounds like a way better thing than not having it at this time.

6 Likes

Thank you for kicking off the process of the GateSeal renewal.

Having such a power-limited but important one-time panic button is good to mitigate highly hypothetical still should be considered catastrophic events.

I expect that for this to happen, it would require having not only a zk-proof system, but its complete formal verification on the level of bytecode and no more changes, e.g., for EVM itself, which is hard to guess when happens.

Therefore, to me, prolonging the GateSeal protection would be wise and prudent.

4 Likes

Yeah, having an impact-limited circuit breaker seems pretty reasonable until the protocol is fully ossified. In the future, I see the following process of improving it:

  1. Formulate a complete set of invariants that must be kept by the protocol and replace the committee-driven circuit breaker with an invariant-based circuit breaker, i.e. allow anyone who can prove a given state transition breaks an invariant to trigger the GateSeal.
  2. Formally verify the protocol code on the bytecode level against these invariants, ossify the core protocol code, and remove the circuit breaker mechanism.

Both of these steps would require significant effort and time to be implemented but set the goals to pursue in the long run. Until then, I’d be for keeping the committee-driven GateSeal.

4 Likes

Hey there,
wanted to suggest a change in the LidoDAO GateSeal Committee as a part of the upcoming Snapshot voting

2 Likes

Snapshot vote started

The Renew GateSeal for the Withdrawal Queue and Validator Exit Bus Oracle Snapshot has started! Please cast your votes before Fri, 19 Apr 2024 15:00:00 GMT :pray:

2 Likes

The new instance of GateSeal Blueprint was deployed: 0x79243345eDbe01A7E42EDfF5900156700d22611c

The parameters of the contract are:

2 Likes

We vote FOR the proposal while we understand that having trust-minimized options for unexpected emergencies is crucial to keep the protocol safe and that Lido is still on the way to achieve making them into protocols as @TheDZhon explains here.

7 Likes

All deployments have been successfully validated by statemind.io, meaning that:

  • All audited commits match the deployed contracts fully.
  • All default configurations are correct.
  • The contracts are ready for use.

See note contents for more details.

5 Likes

Snapshot vote ended

The Renew GateSeal for the Withdrawal Queue and Validator Exit Bus Oracle Snapshot has passed! :partying_face:
The results are:
For: 56.1M LDO
Against: 90 LDO

3 Likes
  • @skozin departed the GateSeal multisig, and their address 0x2CAE3a4D4c513026Ecc6af94A4BA89Df31c8cEA3 was rotated to @theDZhon (Lido on Ethereum protocol team) with address 0x59f8d74fe49d5ebeac069e3baf07eb4b614bd5a7.

The on-chain vote is started! Lido DAO Voting UI
The main phase will end on Apr 25, 2024 at 14:08 UTC!

Please, participate in the voting to change the GateSeal on the Withdrawal queue and Validator exit bus oracle contracts! :pray:

3 Likes

The vote was enacted successfully and the GateSeal has been changed! Thank you for casting your votes!

4 Likes