Renew GateSeal for the Withdrawal Queue and Validator Exit Bus Oracle

Proposals
1

Tl;Dr

One of the parts of Lido V2 is GateSeal :shinto_shrine: (GitHub - lidofinance/gate-seals: A one-time panic button for pausable contracts):

Initially, it’s been set up with an expiration date of 1 May 2024 (Lido V2 GateSeal Committee). The proposal seeks to prolong the functioning of the GateSeal mechanics for the following year.

Context

In essence, GateSeal allows to react to the unexpected in-protocol vulnerability. In the worst case of false-positive (pause contracts if no vulnerability is present), the potential downside is limited (only withdrawals get paused, and only by limited time). In that case, leaving the protocol the option to react faster-than-governance-flow seem to be a good call. In the future, committee-driven safety mechanics could be changed to a permissionless zk-proof system. Still, that future is quite far away: it requires both the maturing of production-level zk-based tech and the ossification of withdrawals part of the Lido on Ethereum.

Proposed decision

It’s proposed to use the new instance of the GateSeal Blueprint, deployed with GateSeal Factory:

The GateSeal Factory and GateSeal Blueprint contracts were audited during the V2 upgrade: GitHub - lidofinance/audits

The new instance of GateSeal will be deployed and announced under the post. The deployment verification by a third-party audit team will be posted before the on-chain voting as well.

The proposed parameters for the new GateSeal are:

Next steps

If the proposal is not opposed here on the forum, the snapshot voting starts on April 11.
If the snapshot voting is approved by the DAO, the on-chain voting starts on April 23.
Stay in touch and keep your keys ready to vote! :old_key:

GateSeal Committee chores

To check the liveness and readiness of the GateSeal, if the proposal is approved by the Lido DAO, it’s additionally proposed to:

  • Rotate at least one of the current six signers
  • Hold a GateSealing drill by DAO Ops team no later than 30 June 2024

Next page for GateSeal: Dual Governance

It must be noted that the GateSeal needs to be tweaked to fit the Dual Governance design.
The proposed designed is outlined here (Dual Governance mechanism design overview - HackMD) but it could change after the internal reviews and audits.

10 Likes
2

As a GateSeal signer I’m all for the proposal. Having a GateSeal sounds like a way better thing than not having it at this time.

6 Likes
3

Thank you for kicking off the process of the GateSeal renewal.

Having such a power-limited but important one-time panic button is good to mitigate highly hypothetical still should be considered catastrophic events.

I expect that for this to happen, it would require having not only a zk-proof system, but its complete formal verification on the level of bytecode and no more changes, e.g., for EVM itself, which is hard to guess when happens.

Therefore, to me, prolonging the GateSeal protection would be wise and prudent.

4 Likes
4

Yeah, having an impact-limited circuit breaker seems pretty reasonable until the protocol is fully ossified. In the future, I see the following process of improving it:

  1. Formulate a complete set of invariants that must be kept by the protocol and replace the committee-driven circuit breaker with an invariant-based circuit breaker, i.e. allow anyone who can prove a given state transition breaks an invariant to trigger the GateSeal.
  2. Formally verify the protocol code on the bytecode level against these invariants, ossify the core protocol code, and remove the circuit breaker mechanism.

Both of these steps would require significant effort and time to be implemented but set the goals to pursue in the long run. Until then, I’d be for keeping the committee-driven GateSeal.

4 Likes
5

Hey there,
wanted to suggest a change in the LidoDAO GateSeal Committee as a part of the upcoming Snapshot voting

2 Likes
6

Snapshot vote started

The Renew GateSeal for the Withdrawal Queue and Validator Exit Bus Oracle Snapshot has started! Please cast your votes before Fri, 19 Apr 2024 15:00:00 GMT :pray:

3 Likes
7

The new instance of GateSeal Blueprint was deployed: 0x79243345eDbe01A7E42EDfF5900156700d22611c

The parameters of the contract are:

2 Likes
8

We vote FOR the proposal while we understand that having trust-minimized options for unexpected emergencies is crucial to keep the protocol safe and that Lido is still on the way to achieve making them into protocols as @TheDZhon explains here.

8 Likes
9

All deployments have been successfully validated by statemind.io, meaning that:

  • All audited commits match the deployed contracts fully.
  • All default configurations are correct.
  • The contracts are ready for use.

See note contents for more details.

5 Likes
10

Snapshot vote ended

The Renew GateSeal for the Withdrawal Queue and Validator Exit Bus Oracle Snapshot has passed! :partying_face:
The results are:
For: 56.1M LDO
Against: 90 LDO

3 Likes
11
  • @skozin departed the GateSeal multisig, and their address 0x2CAE3a4D4c513026Ecc6af94A4BA89Df31c8cEA3 was rotated to @theDZhon (Lido on Ethereum protocol team) with address 0x59f8d74fe49d5ebeac069e3baf07eb4b614bd5a7.
12

The on-chain vote is started! Lido DAO Voting UI
The main phase will end on Apr 25, 2024 at 14:08 UTC!

Please, participate in the voting to change the GateSeal on the Withdrawal queue and Validator exit bus oracle contracts! :pray:

3 Likes
13

The vote was enacted successfully and the GateSeal has been changed! Thank you for casting your votes!

4 Likes
14

GateSeal drill report
As proposed, the GateSeal drill took place on June 5th.
The drill’s goal was to check the Committee’s liveness and readiness, i.e., to ensure that the Committee members understand their responsibilities in case of emergency and have their keys at hand.
During the drill, the GateSeal Committee members were alerted of a presumed vulnerability in the Lido smart contracts. They had to act accordingly: communicate to get all the signers online, decide on the required actions, and apply the GateSeal by creating, checking, and sending a SAFE transaction from the Committee multisig.
The drill was successful, and all the signers were within reach and responsive. All the planned activities, from start to finish, took slightly under 25 minutes, meeting expectations regarding the GateSeal Committee response time. In the case of an actual emergency, the response time can be even better because of some specific technical imperfections of the testnet setup (e.g., lack of proper call data decoding in the SAFE UI).
After the drill, the GateSeal on the Holesky testnet was lifted, and the testnet setup resumed its regular functionality.
Huge thanks to all the participants and Committee members! We can sleep a little better from now on (but not everyone at once, please).

6 Likes
15

it’s a good idea

  • All audited commits match the deployed contracts fully.
16

GateSeal Renewal for 2025-2026

Hey everyone! I’m happy to share that Lido DAO has recently approved the Snapshot vote, which proposes to extend the on-chain voting duration from 3 days to 5 days in order to increase participation and improve security:

Tané and Lido DAO Ops contributors are proposing to extend on-chain voting duration for better participation and security:

Main phase: 48h → 72h;
Objection phase: 24h → 48h.

The GateSeal duration extension was also included in this snapshot vote: to maintain the security and efficiency of the GateSeal mechanics, the seal duration was proposed to be twice the governance reaction time plus one day. As a result, the new GateSeal duration was proposed to be 11 days.

There are currently two separate GateSeal contracts involved in the Lido protocol, serving as one-time panic buttons for critical contracts in case of an emergency:

It is proposed to renew both GateSeals in the upcoming on-chain vote, along with an extension of the voting duration. The deployments of new instances for the GateSeal and CSM GateSeal contracts will use the same GateSeal Blueprint and GateSeal Factory referenced in the initial post, using the same set of parameters, except for the seal duration:

GateSeal

CSM GateSeal

Deployment and Verification

The new instances of the GateSeal and CSM GateSeal contracts will be deployed and announced under the post. The deployment verification by a third-party audit team will be posted before the on-chain voting as well.

GateSeal Multisigs

There is a Lido DAO Ops Multisigs Policy (revised) proposal that aims to optimize multisig governance for scalability, enhance security measures, and ensure a clear framework that aligns with the fast-moving nature of Web3 governance. Be sure to check it out!

Next steps

  • New GateSeal and CSM GateSeal contracts will be deployed
  • Deployment verification will be performed for both GateSeal contracts
  • On-chain vote will follow
4 Likes
17

We sincerely appreciate the careful consideration put into this proposal and the parameter updates. It’s clear this is an important next step, and we are eager to see its successful implementation.

2 Likes
18

Hey-hey :waving_hand:

New GateSeal contracts have been deployed:

Both will expire on Sun Mar 01 2026 00:00:00 GMT+0000 and have a seal duration of 11 days.
Deployment verification reports are coming soon!

1 Like
19

The deployment verification for both GateSeal contracts was conducted by Statemind and the report is available on Github:

2 Likes
20

:rocket: Voting has started! :rocket:

Vote #184 is now live, and your participation matters! :sparkles:

The vote will remain open for your “For” or “Against” input until the end of the main phase: Mar 20, 14:15 UTC.

Please check this guide for instructions on how to verify the vote items.

Let’s keep Lido governance transparent and decentralized!

2 Likes