DAO Treasury Migration Proposal

image1187×675 153 KB

Proposal for Enhancing Security Measures of HYDRA DAO Treasury with Multisig Administration

Introduction

As part of the effective decentralization of the HYDRA DAO, a key element lies in ensuring no single entity or individual can have power over the DAO.

In order to enable the highest standard of transparency and technology, the founders and operations team have undertaken the initiative to deploy the tooling to enable the next step in this security upgrade.

The Gnosis multisig system, renowned for its robust security features, has been adeptly forked and tailored for the HYDRA Blockchain. This adaptation preserves the full functionality of the original Gnosis platform, offering a user-friendly interface that significantly enhances transactional capabilities on the HYDRA network. The system allows for straightforward receiving and sending of HYDRA and HRC20 tokens, along with executing complex contract operations.

A key feature is its ability to directly interact with smart contracts. For instance, the HYDRA DAO Treasury can perform direct contract operations, such as executing swaps via the DEX, without relying on secondary wallets with both: the sender and the recipient being the smart contract multisig contract. This functionality is critical for implementing resolutions efficiently and securely within the DAO framework as well as ensuring flexibility in the future.

The gnosis fork is already tested, deployed and production ready on https://multisig.hydrachain.org

We now propose a structured approach to administer the HYDRA DAO Treasury, ensuring optimal security and alignment with community values.

Multisig Administration Structure

The administration is segmented into three distinct groups, each with a unique role and selection criteria:

1. Founders Group

• Role: Strategic oversight and decision-making.
• Criteria: Proven responsibility, comprehensive vetting, and strong community standing.

2. Key Operations Group

• Role: Handling key operational workload and having demonstrated strong practical expertise in the Hydra Ecosystem. Elected by the community with strong vetting in the process.
• Criteria:
  • Active involvement in HYDRA’s daily operations.
  • A minimum of 2 years of positive contributions with an outstanding reputation in the community.
  • Mandatory community approval, reflecting their capacity to lead and support the community.

3. Trustless Community Group

• Role: Ensuring the broader community’s interests are represented for a more democratized model while relying upon on-chain “loyalty”.
• Enhanced Criteria:
  • No association with staking pools or founding team members.
  • Extensive 2+ years of on-chain activity reviewed to confirm their commitment to HYDRA’s success. As a methodology : staking activity, balance weight, loyalty expressed by lack of liquidation and stable on-chain pattern.
  • Holders of significant HYDRA stakes, collectively amounting to ~4M HYDRA, demonstrating a strong vested interest which is representative of the open market investors.

Limitation: Since the treasury council needs to be flexible and be capable of signing multiple requests relatively fast, going for a too broad setup may be limiting. Most other protocols usually limit the treasury multisig to less than 10 members, as the security improvement beyond 5 members is rather theoretical.

Proposed Members

• Founders Group:

• Nikola Alexandrov
• Hristo Tenchev

• Key Operations Group:

• Florian Pfeiffer (CCO LockTrip & Hydra Community Admin)
• Myra Aranjo (Proposed Hydra DAO Secretary & Hydra Community Admin)

• Trustless Community Group: Selected based on rigorous on-chain analysis criteria. These 8 wallets collectively represent ~4M HYDRA stake in the network and have demonstrated outstanding loyalty of holding on to their HYDRA through both good and bad times. They have also actively staked and supported the security of the network.

HB35PMmQ9MT2wT1khnm8nLqa8WJVUDMKgG
HKL6s7gVebzVPACrGFXUgtwDRFhWHHd6cg
HK6zDXeigGa5Yke2kYboidtbDwaCnQv8VZ
HDU5yiJseHQDbz6U1zVD2oxoYRNFYDPt6N
HHJFtLFJUDryscuLDiCK2W4XPxAUf3Ma2c
HKFZLJwtVxsHmtQSDhLAZ3eEunz6jpNbAJ
HH6z5NMNo43TKQ5VTmcxmA4a1ZsLrPeWN6
HVT7SqGSkbRgz88Zo27duetdUdJTxJoncG

Being a Treasury Admin would be a responsible task since enrolled members would be counted on to follow, engage, sign and communicate when needed. Not all members are expected to confirm their interest. The ones that do will need to act responsively.

Consensus Mechanism

Depending on the number of trustless wallets that confirm their engagement, a policy for consensus will carefully be selected.

This proposal is based on an estimated 4 community members who may confirm their enrollment, resulting in a tentative 8 admins as a target with a 5/8 policy setting for consensus. 1 mandatory signing member from the community will be a strong addition to the DAO secretary who is also technically elected by the community and independently from the founders’ team.

• Composition: Eight administrators across the three groups. Consensus to require all three groups to “work” on ensuring each transaction is correctly reflecting the trustless will of the HYDRA DAO.
• Requirement: A tentative 62.5% consensus (5 out of 8) for transaction approvals. This threshold ensures decisions have strong support while reducing the likelihood of decision-making stalls.

As security considerations for this consensus policy:

• Too strong policy requirements could potentially make the treasury less agile and prone to stalls if lack of engagement is present from community/trustless admins
• Too weak policy could not effectively utilize the strenghts of the multi-sig security

Role and Responsibility of Treasury Admins

• Technical Role: Admins are responsible for ensuring the technical implementation of the DAO’s will, without possessing any authoritative power. In simple terms, whatever the DAO votes, the admins should execute. And if an admin is not following the will of the DAO, other admins can vote for an ousting. By default the same 5 out of 8 policy is valid for adding or removing new admins.
• Open Applications: Community members aspiring to be admins can apply, subject to the same standards and an additional on-chain vote by the DAO.
• Protective Measures: Any DAO treasury admin who is disengaged, unresponsive and/or simply not complying with the DAO will to be ousted by the DAO consensus and reported to the community, with appropriate consensus policy update to ensure proportionate risk management. Trustless admins who experience a drop in balance stronger than 20% relative to their wallet size at time of admission, will automatically be excluded to protect against situations where an admin exits the system and potentially goes rogue.

Migration Timeline and Phases

Subject to DAO approval, the migration will occur in three phases:

1. Phase 1 - Initial Trial:

• Migrate 200,000 HYDRA from current Treasury Wallet: H6hXSKCWScjx53KAHXWGYAU7uMs7oGJNTb to test the new system’s functionality and ensuring all transactions are routed from the multisig.

2. Phase 2 - Full Migration:

• Upon successful trial validation, transfer the entire remaining treasury amount.

3. Phase 3 - Post-HydraGon Review:

• Review and potentially enhance the system post-HydraGon launch, incorporating new insights and capabilities.

Future considerations: according to an already pre-approved community vote, the DAO treasury is supposed to receive an on-going inflow of funds from the core emissions. The current treasury provides a comfortable cushion for the operation to continue without activating these additional emissions. However, at some point in the near future, it is worth exploring the optimal way for this to be activated. HydraGon could be a good opportunity window for this activation.

Room for improvement

This proposal is drafted with consideration of all known factors involved, but may still be prone for further improvement. It should also stand as an open invitation for a public discussion to any interested community member on such possible improvements.

Conclusion

This comprehensive multi-sig administration proposal for the HYDRA DAO Treasury strategically combines the wisdom and vested interest of founders, the operational expertise of involved key operations members, and the independent vested interest of trustless community representatives which will continuously be re-evaluated based on their balance and on-chain activity.

The proposed structure, coupled with a careful migration plan and a clear consensus mechanism, not only secures the treasury but also ensures it operates in harmony with the DAO’s principles and the community’s aspirations. This balanced approach is pivotal step as part of a long-term plan for democratization and success of the HYDRA protocol.

Considering the substantial marginal improvement over existing treasury safeguarding policy, this is recommended with high priority vote in the upcoming voting session.

Summary of Proposal:

• Migration of the DAO Treasury to a multi-sig contract for increased security
• Three proposed eligibility groups for admin membership
• 12 shortlisted members proposed for the start with a tentative setup of 5/8
• Framework for the eligibility and retainment of membership
• 62.5% consensus requirement for transaction approvals

Wow, this is exciting! The DAO has just leveled up !!! Great work team! Looking forward to the community members stepping up to play their part in all this.

It’s a much needed proposal; having a multi-sig will definitely serve to strengthen the trust among the Community. I have a question, though, and would like to see how others feel about the proposed group of trustless signees. Based on the criteria mentioned in the proposal (on-chain wallet activity over time) It seems to me that it is possible that the owners of the wallets selected for that function can belong to the first three proposed Treasury Members (two founders and Florian), which would obviously not be ideal. Technically speaking, isn’t possible, in theory, that all those wallets belong to one, two, or three individuals? Any comments on this?

Will the Community know the wallet addresses of the proposed first four members (without knowing the actual ownership, just the list of the four wallets) same as we will know the wallets of the trustless signees? It seems only fair.

My comments and questions should not be construed as the lack of trust in the two founders or Florian!

Yes that’s a good point. And if group members are ever changed we’d again need to verify the new member with the same process. But how do you prove someone doesn’t own a wallet? Can you trust that they’ve declared all of their wallets?

Will the founders group ever change? What if something happens to an admin and they go MIA? Is the only failsafe we have is to depend on a 5/8 consensus for membership changes?

Hey Azulene, the trustless wallets are not duplicates to the founders group and/or to the Key Ops group.

Ensuring no duplicity occurs was a main consideration as that would cancel the whole point.

We did a careful examination of on-chain data to ensure no association and have explicitly mentioned it as the first criterion (see screenshot below). If there’s such the council should immediately oust such a wallet.

//
Here’s a screenshot from original thread:

image789×264 17.2 KB

…Maybe worth adding also "Key Ops " to the excluded group, just to make sure it is clear for it as well.
//

With that being said, after a more extensive analysis, 1 of the 8 trustless wallets is however associated with an independent advisor who participated back in the LockTrip ICO (a professional advisor with a strong career track record, good reputation, and strong stake in several other projects). The wallet is HDU5yiJseHQDbz6U1zVD2oxoYRNFYDPt6N.

On-chain data shows that the individual has demonstrated strong support over the course of the project and has not been involved in any way in the operations since 2017.

We gave a lot of thought to whether to disqualify that wallet, just as a precaution,
and I am glad you are bringing up this topic because I would appreciate your opinion on this.

Keep in mind like all other trustless wallets, we have absolutely no idea whether this individual will enroll to be part of the Trasury Admin Group or not.

Yes, if the proposal is approved, the 4 treasury admin wallets of the trusted members (founders and key ops) will be publicly defined.

Either way, the multisig requires on-chain consensus which immediately exposes the signing parties. The Treasury multisig is a contract with a static address that can be bookmarked and observed in the explorer.

And we have already pointed out the trustless wallets even before knowing which one of them will enroll, which is why this was not explicitly stated.

It will be visible how each wallet votes and whether any wallet is compromised and starts acting in conflict with the majority.

This will be available as info through the explorer to the community. The great thing of having on-chain activity.

I appreciate this answer, Nikola. What would be the verification process for the wallet ownership? For argument’s sake, let’s say Mike Malarek and I both come forward and declare that we own one of the wallets. How will the ownership be verified?

Q re: association with staking pool. This refers to a true staking pool (CEX or private) and not to a Superstaker, correct?

Is it possible to include an amendment to the voting mechanism? I think that there should be a mechanism to include vote delegation. This will ensure further decentralization. As it is, most of the delegators choose not to vote because 1) they are in “Set it and forget it” mode and 2) they are mostly on mobile and are unable to select a utxo.

It would be very helpful to include those small- and mid- size wallet Delegators in the dao vote by allowing them to delegate their vote. To ensure this feature functions as intended, it’d have to be included in the mobile wallet app and enabled to select post-delegation.

Thank you!

On-chain ownership verification will be easy to organize.

For example, trustless wallets can be asked to deposit a 0.1 HYDRA to a wallet designated for the multisig operations.

Then as a second hop, they can re-deposit the same 0.1 HYDRA inside the gnosis wallet from that second wallet.

Both transactions will act as one, providing unequivocal proof that it was the original trustless wallet that deposited the 0.1 into the gnosis, and in the process the signing wallet will be included as a mid-stop.

To illustrate:
Wallet1 is eligible

Wallet1 → sends 0.1 HYDRA → Wallet2
Wallet2 → deposits the same 0.1HYDRA to the multisig contract

The chain of transactions [Wallet1 → Wallet2 → Multisig Contract] acts as one verification enrollment.

DAO whitelists Wallet2 after ensuring it is the child of Wallet1.

After verifying this, Wallet2 will be added as admin to the multi-sig contract, and ongoing monitoring will be conducted on the original wallet, to ensure they don’t dump their holdings in Wallet1. If balance of Wallet1 drops 20%, DAO secretary will immediately initiate ousting vote among the treasury admins to kick Wallet2 out.

Both the 1st and 2nd wallets will be treated as one in the context of the system, and the entire process will be 100% based on on-chain data with the community observing it in real-time.

In regard to the delegation question:
If the question is in context of the Gnosis multisig: This is unfortunately not possible with Gnosis, because it works with private keys. Gnosis is specialized for multi-sig operations and not governance voting/delegations. It is the number one preferred protocol for treasury safeguarding due to its proven security and UI.

Also don’t forget that the DAO Treasury is just a tool. It has no authority on its own. Whatever the community decides via governance must be executed by the DAO Admins. It is a 1)Propose & Decide → 2)Execute flow, with no special authority on the executing side. Just obligation to follow orders by the deciding side that precedes it. And if the treasury admins don’t it will be evident and they will be kicked out immediately. The outcome, much stronger security in the handling of the non-custodial DAO funds and in the enforcing of the governance decisions.

Thanks for detailed explanation. I fully understand the on-chain verification. But how can Community verify who are those wallets’ owners, Telegram entities, at least? Malarek and I just made a skit of demonstrating that anyone can claim those are their wallets. Because technically speaking, all those wallets can still belong to one person.

What exactly will the admins be approving? “Send X coin from the treasury to Y wallet”. Or something more complex?

So I would like to propose Azulene, who has been an active community member who actually built Stray on hydra from the beginning and has the trust of holders of almost half a million hydra, as a Community DAO Admin. This makes far better sense then picking the biggest wallets.

Essentially, they’ll be signing transactions approved by the DAO. For example, when it’s time to send 30,000 Hydra to a marketing agency, instead of one person (I assume currently one person signs it), the group of admins will have to approve each transaction.

How much time do the big 8 have to make their interest known?

Thank you for your trust, Michael! Not sure how we could include STRAy Pet wallet on the list. But I agree that this is a good mechanism. To select among active, long-term Community members, regardless of the amount of HYDRA they hold. I would also like to see you and several other people on that list. Each person can be verified using mechanism Nikola had delineated, an on-chain transaction. Using a group dm for instructions, for example.

I think that the following people—who have been active—could serve that role (just my idea, not a comprehensive list):
M. Malarek
Adi
AndreFerrera
Paweł
HydraSupeeMan
LegitParabolic
DavidStone
Jop
JWV
and so many others who are worthy and trustworthy

Hey Azulene! I think the point of the “Trustless Community Group” category is that it is indeed not possible to verify (unless they out themselves) - hence why it needs to be trustless.

This is a common challenge with decentralized systems. Since you can’t rely on trust, the solution is based on alignement. By aligning the incentives of involved parties, you minimize the risk of unintented outcomes.

Hence all of the 8 proposed wallets own very significant amounts of HYDRA, with the additional criteria that they have a long staking history along with low amount of liquidations.

These were some of the characteristics based on which the wallets were chosen.

I understand this. Not sure how to ask it any clearer, but how do we know that these wallets do not belong to one or two parties? As a Community, we do not. Which is why I am not sure that this is the best mechanism or criteria for selection. Going forward, say 3 years from now, this will not be a topic of discussion because everyone will assume that it is what it is. I think we need to get it right the first time. I am unsure that I like the criteria for selection. It should not be about who had the most Hydra or who has been staking it longest. But I understand that I am probably in minority here. Just wanted to voice my opinion.

You can verify that there are no duplicates, because each of the listed wallets enrolled in the HYDRA airdrop (which can be confirmed via their individual transaction histories). Since the airdrop involved a KYC procedure, it is not possible for two wallets to belong to the same person.

For the post-HydraGon period I am pretty sure that the system could be iterated further. Just to give an example, the fact that the DAO will become protocol-integrated may allow for interesting new possibilities to further iterate on the treasury multi-sig concept. The vesting mechanism is also something that could be taken advantage.

Just brainstorming

Sounds good. But in a nutshell, can the owner of the wallet with a custom-looking label come forward and do we want him to sign our transactions?

I mean, who among us calls himself the
HHJFtLFJU-DryscuLDiCK-2W4XPxAUf3Ma2c? It looks like a custom-made label so it cannot be a random community wallet

Generally it is not possible to create custom wallets - neither by community members nor by team members. However, what one can do is to keep generating wallet after wallet until one of them has a funny name

Dear @FloSupp @nikolaalx and team,

I think Azulene and MMalarek are right in their observations.

And also their/our concerns are not being addressed about how we know who owns those wallets? Anyone can claim so.

Also while the proposal overall is great and taking HYDRA in a super positive direction - I find it hard to take completely serious if trusted community members such as Azulene and the list of other trusted community members mentioned such as M. Malarek, Adi, AndreFerrera, Paweł, HydraSupeeMan, LegitParabolic, DavidStone, Jop, JWV (and perhaps even many others) are not included in one capacity or another into such a multisig proposal.

They should obviously still be rated based on some criteria which we agree on together as a community (it is a great idea to also include a “long holding” criteria as one of them).

Idle wallets holding large bags of HYDRA in silence does in no way or capacity represent trusted entities in comparison to community members who daily makes an obvious difference🙏

Can you please consider changing/rethinking this before moving forward with a vote?

Best regards

Martin / Be_kind_and_humble (who just felt like making a new user name)