Thanks Do. Appreciate the attention here. I think in the future it might be worth considering a whitelist approach as this will enable some interesting representative governance concepts. As far as effort goes probably easiest to blacklist contracts for the time being and if the idea of representative governance becomes popular we could maybe come up with implementation specifications. (Probably a risk to allow contracts to vote on community spend in such an implementation)
Fully understand the concerns re:
- Unverified/unaudited smart contract interacting with the protocol
- Pooling of funds by the contract to vote maliciously
Could the following be acceptable alternatives that Spec could pursue:
(1) Towards the end of the proposal period, auto-voting in the exact same proportion of votes so that it leaves the voting outcome unchanged.
(2) Auto-voting yes, if the concern is that abstention is detrimental to a proposal.
In the future, there will be smart contracts that allow people to delegate their votes to asset managers, and they would entrust the asset managers to vote on their behalf. If this is the case, then taking an approach to blanket block smart contracts may be an issue for asset managers with delegated MIR.
I have been backing some asset management protocols, and I think that delegated MIR is certainly going to be something to think about. Blocking them completely would not be a good outcome.
Also, just blocking smart contracts, may lead to unacceptable/risky workarounds, e.g. sending it to non-contract addresses for the purposes of voting.
This takes away from the rewards that actual gov participants would otherwise receive for providing their real input.
The concern is garbage governance input does not provide any real input to governance proposals, and takes away from real governance participants.
The only solution i see here is passthrough voting, or representative voting where spec holders indirectly vote on mirror governance proposals. But as is , this approach presents other risks to mirror that should be mitigated before this behavior is allowed (ie a protocol voting it’s self community spend)
I agree that for the time being these types of auto-votes should be blacklisted by default. I do think that there is potential for whitelisting in scenarios where individuals want to delegate their voting rights to another individual/entity, but this is obviously not one of those scenarios. Votes should be purposely put forth in governance, never auto-selected. The whole point of the change in v2 was to incentivize voting participation in governance, and the feature that Spec is attempting to provide completely circumvents this.
Your passthrough voting idea is a good approach. This means that those who delegate still need to take responsibility on the votes.
Plus also agree with your comment re: safeguards to prevent abuse.
It might be worthwhile waiting to see some of these protocols get some traction before taking action.
Seems to be premature to design countermeasures to attacks that have yet to manifest.
Agree, not implying any immediate action in my governance proposal, more so using governance to signal community sentiment around this issue , and specifically in this case help guide spec or any future yield optimizer who wants to build strategies that incorporate governance.
Also to add , in this specific case Spec has now withdrawn their vote farming proposal.
The gov contract in MIR can simply check whether the address attempting to claim rewards belongs to a smart contract and deny claims if they are.
And so the community begins destroying itself. Disenfranchisement of particular types of voters because the way they vote is disagreeable… this is antithetical to DeFi in the strongest imaginable way.
ON a more practical level… what about multi-custodial treasuries managed by smart contract? What about DAO’s? What about Spar protocol? What about unannounced projects that are working toward representation models (stake your MIR into the module, module selects a single party to vote all of the MIR staked into the module)?
What about every other as yet unimagined use of MIR (including its governance module) in other protocols that will not happen because of the communities rejection of the very first external protocol that tried to engage in MIR governance in the least impactful way possible?
This is an over exaggeration . Voters gaming voting rewards while not providing real goverance input arnt really voters.
In the metaverse smart contract is law, if smart contracts allow a certain behavior , it’s allowed by law. If Mirror is going to allow smart contracts to vote on proposals in a representive manner , the risks need to be strongly considered . In the current implementation of mirror governance , these risks have not been fully considered . And so in the interim until these risk are fully evaluated and proper mitigation and implementation details are hashed out, i think it’s reasonable to
A. Gauge community sentiment on this issue. Potentially indicating future action if risks are realized
This also encourages protocols who plan to engage in this behavior to be cautious and to engage with the community about their plans to incorporate goverance in to their yield strategies.
B. Have these discussions.
Given your concerns here, what do you propose as an alternative solution?
Agreed on the passthrough vote.
QQ: Why would we not require any group that wants to utilize this type of mechanism (handling governance votes in an automated / semi automated fashion) in their design to also create similar workflow to corporate voting. If you own shares in tradfi companies, you typicall get a ping through your brokerage account that there is a proxy vote that is available. Based on the number of proposals in the MIR ecosystem, this seems a reasonable amount of activity for: 1) A company that wants to build a thoughtful project on Terra to spec a solution (holder is pinged to vote when new prop is available) and 2) A holder of auto compounded tokens to vote on.
Admittedly perhaps we just aren’t here yet - thus block and then rework a solution. But of we are it seems like we could require projects to add a proxy push as part of the build specification.
Is this the thought with a passthrough?
To clarify my point on blacklisting… I don’t think this means all contracts should be blocked, just those that auto-select the voting option for the participant. Automatically choosing Abstain for everyone, as in this example, should not be the way to go. However, if each participant chose their vote (be it ‘Abstain’ or another) and then Spec passed this vote through to governance, that would be fine. I don’t know if a ‘blacklist all contracts’ approach is the best one to take without some middle ground specification. After discussing on Discord, one acceptable method would be a time-lock mechanism where contracts could propose their method in advance, and if not opposed, would pass by default. This would effectively be a holding period where any bad actions could be halted before they take place. This would help to protect the governance without blocking new protocols from innovation. If the Mirror governance community decided to take no action, then that would count as support in this scenario.
So IF an attack does take place we then have to ??? clean up the damage afterwards.
Is there any ability of the protocol to compensate in this theoretical situation?
The attack vector here is known, this type of governance attack doesn’t happen overnight and requires a considerable build up of community funds, specifically governance tokens.
There’s is no immediate threat . Spec finance respects the community’s concerns here and have withdrawn their plans to implement voting strategies .
And assuming the proposal passes on “YES” this will make it clear to future protocols that this type of goverance interaction is generally frowned upon and against community sentiment. And if the risk ever became real measures could be implemented to mitigate or eliminate the risk.
It’s something to monitor and bring awareness to.
Thanks for the clarification to my concern, and Spec has done the right move, I also have interests in Spec as many others in the Terra system. And appreciate you for bringing attention to this potential weakness.
Maybe let’s just think about how an “abstain” vote provides any value to governance ?
We could either get rid of that voting option, or disable governance rewards for such kind of votes.
With goverance being incentived , people are going to vote, if the topic or issue that is being voted on is unclear to the voter , without abstain the voter is forced to choose Yes or No which may not actually be what they want cause they dont understand the proposal . Atleast in theory.
I’m new here so please go easy on me!! I agree that in the current state with governance being incentivized you have to have an “abstain” vote. Typically- one would abstain from voting by just not voting, but when there is a reward for voting, that isn’t a rational behavior. It’s a coin toss and that takes away from the whole purpose of community governance. I think inside of the mirror, members take governance seriously, and even with the incentive, I can’t imagine that there are many members that just pound the abstain button every single time, just to earn yield. Be better off farming. But take it outside of the “community walls” you lose that vested interested and it becomes a game of chasing aprs. I don’t know if it is feasible, or something the community would want, but in traditional capital markets, it is not uncommon for publicly traded securities to be split into voting and non voting shares. Granted, the result would be 2 classes of MIR, mechanically, those “staked inside of the Mirror ecosystem” would have/earn voting shares, while those that stake through external protocols would receive non voting MIR. One would expect it to trade at a slight discount, but I think it would be minimal, as farming provides far more yield than staking in governance, and one would still be able to farm with non voting MIR. Hopefully, as DeFi grows, proxy advisory voting protocols are developed, The Glass Lewis and ISS of DeFi. That could replace the abstain vote. You have to vote yes/no or give your vote to an advisory firm to vote for you.
Welcome! Thanks for joining the discussion.
So on the idea of having different types of Mir tokens, i dont think we would want to differentiate . Although you could have a non staking or non governance derivative Mir token that holds real Mir as an underlying asset. But we’re really going down the rabbit hole with that one. hah.
Been chatting in discord with some folks and we came up with some interesting alternative ideas.
So there are two risks /issues we are trying to solve here
Centralization of governance power is dangerous especially in the case of a yield farm where there is incentive for a protocol to want to grant it’s self community funds
We want to encourage real governance participation and a protocol having a fixed vote for every proposal is not real governance participation
So the solution here to remove these risks and not inhibit external contract interactions , we came up with the following
Within the governance contract disallow external contracts from voting on community spend, mirror governance parameters, contract upgrades.
Establish a best practice for proxy voting on Mirror , this best practice will be rather broad conveying the main point that voting must be done with intention.
Give governance the ability to restrict voting rewards from a given contract so that the best practices/code of conduct is enforceable by governance. I would also argue that external contracts should not be able to participate in these polls.
Of course this is up for discussion , look forward to any input here.
There seems to be two separate concerns here:
ABSTAIN votes count toward quorum. As long as this is true, and as long as ABSTAIN votes are rewarded, death by failure to meet quorum is practically impossible. Rewarding YES and NO votes has been a raging success.
Protocols might steal votes. They might:
a. Always vote ABSTAIN, ensuring quorum is met, likely with the sole intent of reaping rewards. This can be solved by continuing to reward ABSTAIN votes, but excluding them from quorum.
b. Vote YES or NO at random. The opportunity to vote ABSTAIN would seem to obviate the need to do this—random evil would be the only motive.
c. Vote users’ MIR tokens according to the protocol’s wishes (good or evil), indifferent to their users’ hypothetical wishes.
This last threat (2c), however unlikely, could have severe consequences. Blacklisting all smart contracts from voting is, I suspect, a patch. A centralised financial entity may present as an ordinary wallet with a large bag of MIR, when in fact it is a custodian for many depositors.
Would it not be better to create an SDK for pass-through voting that deFi protocols could implement at little cost? This might induce new protocols to comply with community norms, and encourage users to stay in the deFi ecosystem.