0x Protocol Security Council serves as a failsafe security measure for 0x Protocol Governance by empowering an elected group with two emergency functions — (1) veto a proposal that passes governance processes and (2) rollback a deployed feature to a previous version. In its mature state, these two functions are designed to have a “one-time” use to minimize the damage that a malicious group could do and avoid Denial of Service (DoS) risks.
The end state for 0x Protocol Governance is a fully on-chain binding governance system — one that truly transitions the power over 0x Protocol over to its stakeholders. A recent governance forum post proposes a technical implementation for an on-chain governance system that will allow all small contracts associated with 0x such as the treasury, the protocol, and governance itself, to be subject to change via on-chain binding proposals.
Given the adversarial environment that blockchain is, transitioning to the phase of governance means that new security measures are required that can serve as a failsafe to prevent a malicious governance proposal from compromising the protocol. As Nikita put in the post introducing the 0x DAO, “the path to the decentralization of 0x is composed of several technical milestones, both accompanying and requiring a parallel evolution of the 0x community.”
To this end, a more accountable community needs to evolve to be able to support this transition — this post proposes the formation of the 0x Protocol Security Council to serve as that failsafe and the following sections will describe its makeup, its functionality, and how it’ll operate.
What is the 0x Protocol Security Council
In short, the 0x Protocol Security Council is a small elected body tasked with overseeing the system of smart contracts that jointly make up 0x Protocol and its treasury for any potential security concerns and acting when necessary to ensure its proper function.
We propose that the future state of the 0x Protocol Security Council is empowered to serve this role by possessing two one-time use emergency functions (1) veto a proposal that passes governance processes and (2) rollback a deployed feature to a previous version. We’ll breakdown why these two functions and why “one-time” are necessary.
The two emergency functions — veto and rollback — are purposefully high impact actions to match the high risk situations that would warrant their use. The goal is to give the 0x Protocol Security Council the proper tools to serve as a failsafe if sh*t hits the fan. We believe that these two actions strikes the appropriate balance between providing meaningful temporary measures to address any security vulnerabilities that may arise and ensuring that 0x Protocol is unstoppable.
The two emergency functions being “one-time” use means that once a security council decides to use one of those emergency functions, its members are immediately relieved of their position, and a new council is elected. This design is meant to minimize the harm that a malicious 0x Protocol Security Council can do to the protocol — explicitly stated, a malicious council can only delay governance by 1 cycle (i.e. on-chain voting period + timelock + deployment). For the election of a new council, parties that previously served on the security council are eligible for re-election which allows good actors to continue to serve in this critical role and an accountable community to prevent malicious actors from being in that position of power again.
Because of the security critical role that the 0x Protocol Security Council serves, we propose that if there is no security council assigned, no new on-chain proposals can be created or executed besides assigning a new security council. However, this would not affect voting on active proposals, meaning that voting can happen regardless of if a security council is assigned or not.
For the initial version of the 0x Protocol Security Council, we believe that optimizing for security right off the bat is most important. As such, the one-time use will be a future feature when the new governance system stabilizes and as a community, we feel that this role can be decentralized without any major security risks.
0x Protocol Security Council serve a critical role in the proper functioning of 0x Protocol — they serve as the failsafe to a fully on-chain governance system.
While what’s needed to properly serve on the security council will likely change as the system of smart contracts that make up 0x evolve, they are expected to fulfill the following core responsibilities:
- Possess a deep fundamental understanding of the system of smart contracts that make up 0x - the treasury, protocol, and governance.
- Promptly respond to any security concerns that are surfaced publicly or privately via the bug bounty program or otherwise.
- Provide a post mortem if an emergency function is used.
- Promote 0x Protocol’s values as defined in the Constitution and Code of Conduct by setting a positive example for the general public.
Inaugural 0x Protocol Security Council
Serving on the 0x Protocol Security Council is a very serious undertaking that requires deep technical knowledge of the broader blockchain space and of 0x specifically. To this end, in order to ensure the highest standard of security for the protocol, we propose that the Inaugural 0x Protocol Security Council is comprised of members that are carefully selected by 0x Labs.
The hope is that 0x Protocol continues to be a secure protocol and as such, the security council will not need to invoke its limited but serious emergency power. Historically, since 0x V1’s introduction, there has only been one time where an emergency function like what is proposed here has been used: this happened in July 2019 where a vulnerability in 0x V2 could’ve led to the loss of user funds.
To set the foundation for the future decentralization of the Security Council, we propose the following election process.
Application (for future Security Council Member elections)
In order to be eligible to be surfaced in the Governance Portal as a candidate for the 0x Protocol Security Council, candidates should review the current working draft of the 0x Protocol Constitution and 0x Protocol Security Council Code of Conduct and reply to this forum thread using the following template. Please leave the prompts intact and answer on the same line.
To avoid impersonation, delegates should either (1) create a profile using Tally with Twitter and the Ethereum address submitted on this form or (2) post a tweet that links to your delegate submission and edit your submission to include the link to the tweet.
Address or ENS:
I have read and agree to the 0x Protocol Security Council Code of Conduct (NEED LINK):
My skills and areas of expertise (as related to security):
My process for evaluating security reports and decision making:
Conflicts of Interests:
Applications will happen on a rolling basis and populate a growing directory of registered candidates — this directory is what will be used to pull candidates when an election needs to occur. Known malicious actors and spam applications will be compiled in a publicly viewable database that will be used as a filter in the Governance Portal UI.
We propose a two step process to elect security councils:
- Off-chain but open-sourced ranked pair voting
- On-chain simple poll to confirm the winners of the off-chain vote.
We believe that an off-chain component is necessary in the election process as the limited computational capacity available on chain would make it technically too complicated and economically expensive to achieve solely on-chain.
At a high level, the goal of the off-chain vote is to narrow the full list of registered candidates to a smaller subset that can be reasonably voted upon on-chain and the goal of the on-chain vote is to formally assign a security council.
We propose that the off-chain election is done via ranked pair voting mechanism because while it is more complicated to implement, it guarantees that the winning candidates are those that are preferred by more voters than any other. We believe that the two properties described are desirable for a role as complex and important as the Security Council.
The winning members of the off-chain election would then create a multisig and a formal on-chain vote would assign that multisig as the security council in the governor contract.
The transition to a fully on-chain binding mechanism for 0x protocol requires the support of multiple security mechanisms. This forum post introduces the concept of the 0x Protocol Security Council to serve as a security failsafe. In it’s mature state, this elected group has two one-time use emergency functions — veto an active proposal and rollback a deployed feature to a previous version — that’ll allow a benevolent group to safeguard 0x while limiting a malicious group from delaying proper governance by just one cycle.