HIP: 21
title: Amend the rules of the “Mission Board”
author: @Mads
status: Phase-3
created: 2021-07-06
amends: HIP-7
Summary
This proposal is to amend the Mission Board, instituted by HIP-7, by clarifying the scope of power and adding rules for dispute resolution. A 5th member and a tie-breaking vote are also added for the case when the board cannot come to unanimous consent.
Abstract
The Mission Board needs to function also in the case when decisions are disputed. Therefore we need some simple rules for what happens when there is no consensus. This proposal clarifies what happens in case of dispute, clarifies the limit to the power of the board, and adds two tie-breaking mechanisms - a 5th board member and a tie-breaking vote.
Motivation
A board member contacted me about concerns about the functioning of the board. HIP-7 made the board sound too much like management, and the powers could be interpreted too broadly. In addition, it assumed that the board would function completely without disputes, which was a bit naive. So this proposal seeks to address these issues by adding mechanisms for dispute resolution. The biggest mechanism is adding a 5th board member for election immediately, making the board an uneven number.
Specification
Amend HIP-7 with the following paragraphs:
Power Scope:
The board is NOT management cannot direct any actions unless it relates to a decision by the DAO (Such as if a proposal is correctly passed according to HIP-5).
The board has, however, broad power to interpret the rules of the DAO, including filling in details not specified in a proposal. (Such as a proposal calling for an election and deciding to hold a quadratic voting election with pre-announced candidates).
Dispute resolution:
A board member can judge whether a proposal or action follows the rules of the DAO. When acting in this way, the board member must clearly state it (instead of just stating an opinion as a normal PoH member).
Any member can ask another board member to weigh in on a judgment.
If the board members disagree on the judgment, they will need a majority vote among the board members to make a final decision.
A tie-breaking vote will be held by the board member whose seat will be up for election at the latest date. (Tie-breaker is added for the case when a seat is unoccupied or a member abstains from voting)
Election rules:
A board member can step down, leaving their seat unoccupied.
Unoccupied seats are immediately up for election.
A seat can maximally be occupied for 5 years before a new election for that board seat is required. (The interim board members are still limited to 1 year as pr. HIP-7)
A 5th member:
An unoccupied 5th seat is opened on the board.
Rationale
This proposal attempts to contradict nothing in HIP-7, neither the spirit nor the letter. This was chosen over a complete revision to keep the governance more consistent.
Those are handled by the governor contract, the board cannot technically handle those.
After those clarifications, it may just be easier to completely dissolve the board as it has been used as a political tool to stall actions from being taken and contains an inactive member.
I am not familiar with the govenor contract - could you elaborate? Anyway, even if we use automated tools, someone still has to manage these tools.
I think it should be possible to point to HIP-7 and tell a board member that they are going beyond their authority.
Perhaps we should simply put all 5 positions on election? My original impression was that the people managing the gnosis auction were an active group that enjoyed strong implicit trust from the creators of the DAO. If this is not the case, then there is little reason to grandfather them in.
Well anyone can manage those tools, see this article.
The gnosis auction was managed from the governor directly not by trusted individuals (which is quite wonderful by the way).
I think you are referring to the original multisig (used early stage but all the assets have been transferred to the governor).
You are right, I meant the multisig. All I wanted to say was that the creators of the DAO put some trust in these people, that was why I trusted them. If they don’t really have strong trust then my original point was moot and we should hold elections.
On the point about the governor - even if anyone can use these management tools we still need a trusted group to choose which tools to use and set them up in a fair way.
I don’t think this term limit is necessary. What issue does it address? I think board members should be able to run for continued terms.
I propose the following powers be added to the responsibility of the Mission Board. One challenge to the DAOs process is how slow it is. If a serious vulnerability is discovered or exploited waiting days (or weeks) for action is unrealistic. An attacker could further slow response by challenging corrective actions in the governor. Time is necessary for a DAOs democratic process but a weakness for emergency response.
It would need to be implemented on the contracts, but granting emergency shutdown power to the mission board makes sense. The intention would be the board can (through majority vote) halt PoH/UBI. The halt would be immediate, and permanent until reversed by the DAO.
Emergency Powers:
The mission board, by majority vote, can suspend the registry. Once suspended only a decision by the DAO can renew operation.
The mission board, by majority vote, can freeze UBI. Freezing will prevent any newly dripped UBI from being transferred (but not stop the drip). Once frozen only a decision by the DAO can renew operation.
I don’t think the DAO would need to recentralize. The system was made to be decentralized and giving some emergency powers would:
Require some dev work.
Add security risks (even assuming that the board is honest, it would be possible to kidnap board members to make them shut down the project, this can be done by classic criminals and criminal states).
Make board members bear legal risks. For example, I’ve been threatened of legal action by someone who made his registration video naked (we couldn’t see his private parts as the camera was shooting above it, but could guess it, the issue was resolved by asking him to unregister and make a new application which would mean the previous one would not be displayed). This is due to the frontend hosting not being decentralized. This was just an annoyance (and I’d expect someone else to run some frontend if we had to censor the current one) as it targetted something that anyone can run. Now imagine what those guys could do if the board could shut down the entire system. Control is a liability and we should avoid it as much as we can.
We’ve been working for quite some times to make permission-less and credibly neutral systems. I think it should be our goal to keep it that this way.
Legal risks is a good point, so is criminal targeting. I hand’t thought of being coerced into shutting down. But would it be a real risk? It would temporarily pause and the DAO could elect a new board (even with anon members) before unfreezing.
I am not sure I would characterize it as centralizing. We have other centralized weaknesses that we accept as well. For example Kleros could be ordered to take the IPFS cluster offline.
It is always a difficult balance. But it should be clear that choosing not to have this means we are ok with watching a vulnerability play out for days or weeks before we are able to respond.
If the DAO can remove the board yes. But that’s still a personal risk to board members.
Sure, but there are multiple clusters and it would probably lead to a Streissand effect of having more people running those clusters.
Ideally there should be no vulnerability. It’s a smart contract who had 2 authors and 8 reviewers + bounties. There is always a smart contract risk, but it’s pretty low. Also the registry could be forked (keeping everyone registered) same as for UBI.
Moreover most attacks would need a long time to play out due to the need of vouches such that an attacker would not be able to overcome the system in one day, giving time for readjustment.
Mads, these clarifications are great and increases transparency on the Board actions. The recently approved HIP-16 gave the Board the capacity to call for emergency voting in case of admin misconduct. Maybe at some point in the next versions of the draft, a normative subordination to other HIP’s should be added? Something in the lines of “Unless modified by other proposals”.
This is a half-truth, as evidenced by how the HIP-8 was implemented. It took more than two weeks since the binding poll was over to finally introduce the changes that were elected, even after repeated inquiries were made in the dev group. There is still no clear instructions on how to interact with the governor by any person. A step-by-step guidance was promised some weeks ago.
Agreed with @Justin that some emergency powers can be added, but to keep it centralized as @clesaege argued, the DAO will always need to have the capacity to override them by vote.
Obviously you need to be a dev for that but if you are a dev that’s very easy (but yeah, you need a significant deposit which prevents people from stalling execution for cheap). And waiting 2 weeks for an enforcement is what you can expect.
Permission-less doesn’t mean that anyone can do it right now, it means that you don’t need to ask anyone for permission and that’s the case with POH. If you had a dev sufficiently interested in speeding up the execution, it may have been done within 1 week instead of 2.
For example anyone can run an Ethereum node and anyone can make a staking client. Here “can” means “have the right to”, not “have the technical capacity to do so”. And it’s way easier to enforce a vote than make a client so “the existence of at least a dev who will enforce the decision” is an easy security assumption.
This is a good mitigation plan, but only if proactive. Reactively you need to collect all the data again. Proactively it can be pinned an ensure continuity. (perhaps this is already happening and Kleros isn’t the only one paying for or hosting the pinned IPFS data, I was just using it as an example).
Ideally yes, but crypto history has taught us this hard lesson repeatedly.
Most attacks yes. But you assume the need for vouches or other protection mechanisms wouldn’t contain the flaw.
Great point, this is would be a good way to implement a fix in a scorched earth type scenario.
So are breach due to security keys being compromised. Here I believe that compromising security keys would be more likely than breaking the smart contract.
We often think at what we want to prevent, but those prevention mechanisms also have their own risks. Like for example in a “freezing” from admin contract, there could be security vulnerabilities in the “freezing” code itself (which could keep the contract frozen forever). Anytime you add something, you add additional security risks.
@clesaege Regarding the Kleros Governor, I think it looks quite nice, but someone has to manage the PoH account/version of Kleros Governor (a high-trust job indeed!). Every time something is automated/decentralized, someone new must be trusted to manage that process. The buck always stops somewhere, and that we need the board for. And if a new Kleros/other tool comes along, we need trusted people to decide if this is right for PoH governance (right now this is just assumed).
@santisiri Regarding term limits, my main concern is that the board is responsible for judging on procedures and they should not be able to have this power over their own election.
I may not have communicated this effectively, but I proposed a 5-year term - with only one position opened every year. If there is a term limit someone would be able to serve 10 years out of 11.
If we hold elections for all positions, then the first board would serve (1/2/3/4/5) years. We could say that the restriction only applies if you have already served 5 or more years.
We could also say the board member cannot judge on the election of his own position, but I like much better that they are forced off for at least a year protect better against abuse of power.
I think we have many other mechanisms in place to control abuses of power (eg. Kleros Governor, the DAO itself voting HIPs, multisigs controlling funds) and imitating how a legacy government works doesn’t feel like a good approach. Figuring out where we’ll be 5 years from now is a bit too soon.
I think you are right, the limitation can always be added later if needed. Perhaps I will then just add that a board member cannot judge on the election of his/her own “seat”.