In-depth discussion on the governance crux of the DeFi protocol
Original Author: MIDDLE.X
image description
Leverage from NFT collectionLeverage V3 by Michaeln
Following the Steem incident, at the beginning of this year, Justin Sun, a topic figure in the currency circle, once again fell into allegations of governance attacks. As a giant whale holding more than US$1 billion in encrypted assets and the founder of the Tron public chain, Justin Sun’s address on the chain has been widely tracked by crypto detectives.
According to the GFX Labs report, in January 2022, the on-chain records showed that an address suspected to belong to Justin Sun borrowed a large amount of $MKR from AAVE, and proposed to create a DAI-TUSD trading pair in the community to support the exchange of the two at a fixed 1:1 exchange rate . After this behavior attracted attention, it was resisted by the community. In the end, the address did not use these $MKR to initiate a proposal, but returned it directly. In March, another address suspected to belong to Justin Sun borrowed a large amount of $COMP from Compound, worth about 13 million U.S. dollars, and recharged it into Binance. Soon, a new address received $COMP worth about 9 million U.S. dollars from Binance. The address used these $COMP to initiate a proposal to add TUSD as a collateral asset on Compound, and the proposal was eventually rejected by a vote with extensive community participation.
Although these two operations ended in failure, the incident triggered discussions on DeFi governance in the industry. Some people think that it is unacceptable for giant whales to directly affect governance decision-making by using their "money ability", and DeFi governance should not be reduced to money politics; Moreover, giant whales use their own financial resources to compete for asset access qualifications in DeFi, which will help increase the price of governance tokens. The increase in the price of governance tokens will in turn help motivate more people and more funds to participate. Why not do it?
Those who hold the latter point of view use the success of the liquidity incentive mechanism of the Curve protocol as the main argument. As an AMM trading market that focuses on stablecoins, Curve has created a liquidity incentive method: providing different $CRV rewards for liquidity providers of different trading pairs. percentage of votes received. This mechanism has triggered fierce competition among stablecoin project parties in governance voting, known as the "Curve War" in history. Many stablecoin project parties have tried their best to obtain more voting rights in order to strive for more liquidity.
Since 2020, the Curve protocol has been implementing such a liquidity incentive policy, which has made the Curve protocol a great success. By triggering the Curve War, the price of $CRV will increase, and the increase in the price of $CRV will stimulate more funds to provide liquidity for the Curve protocol. The increase in liquidity will further intensify the Curve War, a perfect flywheel effect!
No one thinks that Curve's governance is hijacked by money politics, but there is a genius project looking for rule loopholes in Curve War: Mochi Protocol
image description
*Using CVX to vote in Convest can indirectly affect the voting of veCRV in the Convet treasury, the process is simplified in the figure. *
At this point, you may be ambivalent about money politics in DeFi governance:first level title
The Real Problem in DeFi Governance
secondary title
First, governance leverage
The participation of giant whales in governance itself is irreproachable. The problem is that the suspected $COMP and $MKR used by Justin Sun’s address to participate in governance come from loans, not his long-term holding assets. If the address adds some kind of high-control asset to the agreement, it is entirely possible for him to "print money" and use the agreement as his cash machine, and he hardly needs to bear the price downside risk of $COMP or $MKR. This does not comply with the principle of incentive compatibility. The address borrows the governance pass through a decentralized lending agreement, and still needs to provide collateral. In fact, if the borrower does not have sufficient collateral assets, the governance pass can also be borrowed from others by issuing bond derivatives .
In Curve War, there is a lot of bribery. Projects participating in Curve War use meager rewards to motivate other people with voting rights to vote according to their will. Of course, the "meager" here is relative to their direct purchase of these voting rights. (Bribing elections also includes entrusting others to entrust votes to oneself through economic incentives. Since Curve’s governance does not have a delegation mechanism, this type of behavior does not appear in Curve War.)
Borrowing votes and vote-buying provide leverage to governance actors, making their voting power disproportionate to their responsibilities.
In addition, in many DeFi agreements, the governance participation rate is too low, resulting in a very low proportion of voting rights to decide important matters involving major funds or resources, which is simply a natural leverage. For example, on June 19, Solend made a decision to take over hundreds of millions of dollars of assets of a giant whale with only about a few hundred thousand dollars of voting rights, which is astonishing. This resolution was repealed by a new proposal due to strong community opposition.
secondary title
Second, no one guards the gate
The governance of DeFi is more complicated than other types of DAO governance, because the resources owned by DeFi are not only the funds in the agreement Treasure, but also the funds in TVL (in fact, the ownership of the funds in TVL does not belong to the DeFi agreement itself, which is also The reason why Solend took over the giant whale account caused huge controversy), for DeFi protocols, the most critical resources are often non-financial resources. For example:
Whitelist of collateral assets in lending agreement
Liquidity resources in DEX
The allocation of non-financial resources of the agreement through governance voting cannot be simply understood as a pure governance behavior, but has a certain nature of resource sales.From this perspective, Curve War can be understood as Curve's auction of its own liquidity resources. Since it is not politics, there is no such thing as money politics. (Governance tokens carry the power to allocate valuable resources, which is why the price is still skyrocketing after Compound officially announced that $COMP has no financial value. Those smart money have already realized this!)
The link that really leads to risk is that no one reviews the access of assets. Let’s compare the listing process of a centralized exchange. If a Web3 project wants to list its currency on a centralized exchange, most of the time it needs to pay a listing fee. In addition, the centralized exchange will conduct background checks on the project , if the back check fails, the token will not be listed. Responsible exchanges will probably not adopt the currency listing policy of "you can get in if you have money". However, many DeFi protocols do not have any risk control audit measures for the access of assets. Such an analogy is not entirely appropriate, but it can illustrate certain problems.
Although community members can spontaneously pay attention to governance proposals, they can also mobilize more members to vote against the proposal to add malicious assets, just like Compound and MakerDAO rejected the proposal of suspected Sun Yuchen address. However, this kind of spontaneous supervision of community members lacks responsibility and lacks professional ability. It is not a strong net, and there will always be "fish that slipped through the net" to take advantage of it. For example, the governance attack proposal against Build Finance on February 15 was quietly passed by a small number of votes controlled by the attacker without being noticed by the community. The attack made the assets of the protocol treasury almost zero, and made Build Finance fail completely, making it difficult to turn around.
first level title
How to remove governance leverage?
secondary title
▸ Defensive borrowing: exchange governance rights with locked positions
First, borrowing is relatively easy to defend, and both time-weighted voting and reputation-based voting can reduce the impact of borrowing. In fact, Curve's governance already employs time-weighted voting. Curve's governance power is realized by voting with veCRV instead of CRV, and veCRV needs to be obtained by locking CRV. The longer the lock-up time, the more veCRV you will get. For example, if you lock the position for 4 years, you can get 1 veCRV, and if you lock the position for 1 year, you can only get 0.25 veCRV.
There are two key points here. First, veCRV cannot be transferred. The reason why users in Curve War can lend veCRV to Convex, StakeDAO or Yearn Finance is because Curve has opened a whitelist for a small number of entities; The $CRV of $CRV is gradually approaching the expiration time, and the number of veCRV will decay linearly. To maintain the same voting rights, users need to constantly refresh the lock-up time.
The lock mechanism makes it impossible for anyone to obtain a large number of voting rights through short-term borrowing. If you want to get more voting rights, you must extend the loan period, which will bring huge costs to the borrower.
secondary title
▸Defense against vote bribery: Privacy technology may become a hope
Vote bribery is relatively difficult to defend against.
Although election bribery exists in real politics, it is not a climate change. Because the characteristics of secret ballots are: after the voter throws the ballot into the ballot box, the third party cannot know which option the voter voted for, and even the voter himself is difficult to produce reliable evidence to prove to the briber that he voted for a certain option. option, which makes the bribery transaction lack a credible basis.
And on the chain,The information of the bribery behavior is highly visible and easy to verify for the briber, but the identity information of the subject involved in the bribery behavior can be hidden, making it difficult to be held accountable. This is almost perfect soil for building a vote-buying market.In Curve War, vote-buying has become a routine method for participating in the war, and even special bribery service platforms have emerged. By using these platforms, token rewards can be exchanged for user votes.
veCRV bribery platform:
https://bribe.crv.finance/
vlCVX bribery platform:
https://votium.app/
Bride Protocol even more blatantly declared that it will be a general-purpose bribery platform. It also uses the banner of "helping DAOs increase governance participation rate" and "helping governance token holders extract governance value", intending to make the term "buying election" popular in the world. It has become a neutral term in the context of DeFi governance. It is true that election bribery can increase the governance participation rate, but what the DeFi protocol wants to see must not be such a falsely high participation rate.
image description
Hostessfrom NFT collection The Robberyby Cherry_Pie_NFT
So can we build a governance system where voting information is invisible? For example, using privacy technology, the voting information of a single user is no longer visible on the chain, and the outside world can only see the verifiable final voting results. Not only that, the voting users cannot show credible proof to the bribers to prove their votes Which option was given, or to whom the ticket was delegated. This is an idea provided by this article, and I hope that industry partners will discuss and explore together.
secondary title
▸Improve governance participation rate: Governance political parties and governance incentives
Even some benchmark protocols in the DeFi industry may not have a high governance participation rate. For example, the governance participation rate of Compound is only about 5%. This provides an incentive for some to extract benefits from the agreement through voting power. Low turnout has also prompted some protocols to achieve greater leverage through multiple layers of indirect governance, see Fei-Index-Aave's fairy operation for details.
From the perspective of practicing democracy, people always try to get more people to vote, but from the perspective of protocol governance security, the goal should be to get more votes into governance. If we change our goals, we can discover a new idea of governance—agreement parties.
Although some protocols have developed liquid democracies, allowing people to delegate governance tokens to others to indirectly participate in governance. However, this mechanism has been trapped by some factors and has been unable to significantly increase the governance participation rate.
Unless you are deeply involved in the community and know who are active contributors and their propensity to vote on governance, you still don't know who to delegate your votes to;
Delegated voters are not always active, and no one is asking them to stay active. They may actively participate in voting a few times and never vote again. Delegators don't seem to always pay attention to whether they should change the delegation, which makes some The ticket fell silent for a long time;
Most protocols do not provide rewards for participating in governance, which makes token holders more willing to put governance tokens in DeFi to earn interest.
This can be improved by bringing in a coalition with a specific voting preference, which we might call a "Party of Agreement". Protocol parties promise voters responsible voting participation in order to obtain votes, and protocol parties employ experts to carefully study each decision to do so.
Of course, in order for the agreement parties to have the motivation to participate in governance responsibly, and for the token holders to have the motivation to entrust votes to the agreement parties, the agreement needs to give sufficient incentives to the governance participants. The existence of governance incentives is equivalent to taxing those who do not participate in governance, which helps to wake up dormant votes. Governance incentives are divided into two parts, one part is the reward issued for locking the governance token, which is a bit like the Staking reward in the PoS public chain, and the other part is the reward for voting behavior, such as how many times you vote to get rewards, this part Rewards can be given to governing the party in the form of subsidies. The source of rewards can be inflationary issuance or protocol profits.
One thing to note here,The agreement political party should not issue its own governance certificate, otherwise it will create opportunities for doll-style leveraged governance similar to Fei-Index-Aave. Even if the agreement party issues a governance certificate, it should not directly determine its representative through its own governance vote. Instead, a professional committee should be appointed to make voting decisions.
first level title
How to set up the gatekeeping mechanism?
After Mochi’s governance attack, Curve banned Mochi Protocol’s qualifications to compete for liquidity through governance. However, compared with the “asset clearance” after the event, we need a pre-assessment access link to resist fraud, which is better To ensure the safety of funds of DeFi participants.
As mentioned earlier, in the current asset access mechanism of most DeFi, as long as you have enough money, you can get enough voting rights, and then put any assets you want to add into a DeFi: or as The collateral of the lending agreement is either used as a reserve asset for stablecoins, or is allowed to join a specific trading pair, which brings the risk of governance attack exposure. By eliminating governance leverage, we can increase the cost for attackers to obtain voting rights, but in addition, DeFi protocols should also have a set of gatekeeping mechanisms as the ultimate security barrier against malicious asset additions.
It is inappropriate for many token holders to review the access of assets, otherwise it will return to the original problem. The voting rights may be captured by attackers in a short period of time to carry out governance attacks, and it is impossible for all voters to do asset review. Responsible background checks. The possible way isVoters formulate a review standard and appoint a risk control team to back-check the assets and decide whether to release them.
It should be noted that once the standards are formulated, the review committee has no power to release assets that do not meet the standards, or prevent assets that meet the standards from being added, otherwise the agreement can remove or change committee members through governance voting. Of course, the audit criteria are only a few paragraphs of text after all, and in practice there must be the discretion of the audit committee. However, the review criteria should be as clear as possible (for example, a scale can be used to evaluate the degree of decentralization of an asset), so as to reduce the possibility of fraud or bribery by the review committee. It's like the separation of law and justice in realpolitik.
In fact, there is a structure similar to the "Senate" in Compound and SushiSwap. The "Senate" has the right to veto all governance proposals, even those that have been passed by a high number of votes. In practice, the "Senate" also assumes the role of asset access review and is responsible for rejecting the proposal that malicious assets are added. However, this mechanism is also controversial: supporters believe that the power of the Senate and the power of governance voting can check and balance each other, and achieve a structure similar to a bicameral system in democratic politics. Opponents believe that the Senate, which can veto all proposals, is entirely possible. Become the dictator of the agreement.
We think there are two core points here:
The scope of power of the Senate, apart from the right to veto proposals, does it have other powers? In some governance structures, the Senate also has the authority to suspend agreements and initiate emergency proposals. In some DeFi protocols in the early stages of development, the Senate has all superpowers. Permission to update the protocol code at any time. Different scopes of authority determine the nature of the Senate—dictator or gatekeeper. However, for DeFi, which is relatively early in its development, since the code is not yet mature and the economic system has not yet been verified, it is also helpless to let a dictator be the gatekeeper;
The election and removal of members of the Senate is determined by the governance vote. This determines whether the Senate is an independent entity of power, or just an agency of power delegated by governance votes.
first level title
summary
With the development of DeFi, some protocols have become the infrastructure of Web3, which have the attributes of public goods and protect the safety of participants' funds, which is the bottom line of DeFi development. Risk factors mainly exist in two aspects. One is that governance power may be magnified by financial leverage, resulting in governance with unequal rights and responsibilities. The other is the lack of a reliable asset access review process (gatekeeper mechanism), which is difficult even for fraudsters. Anyone who has money can add any asset to the DeFi protocol.
References:
References:
[1] Tron’s Justin Sun Accused of ‘Governance Attack’ on DeFi Lender Compound
[2] Avoid Governance Attacks, Governance Experience of Blue Chip DeFi
[3] CRV's income rights and governance rights
[4] A Comprehensive Research on DAO’s Security by Fairyproof
[5] The whole story of Solend governance turmoil
[6] The Other Side of DAOs: On-Chain Vote Buying and the Rise of Dark DAOs
[7] Build Finance DAO Suffers Governance Takeover Attack
