Make strategy changes in vaults more secure by implementing a timelock, and only giving the governance multisig authority

Just creating this forum thread to get the discussion started since I think this issue is very significant given the current 740 million TVL of the protocol.

Summary:

According to some people on discord, there is right now serious centralization risk from the “strategist” address of vaults, as this address has the potential to steal all the funds from the vaults. A simple short term solution to this risk is to implement a timelock, and only allow the governance to change the strategy of vaults.

Abstract:

Changing the strategist address of all active vaults that are available to the public on the main website, and implementing a timelock of a reasonable time, such as 24 or 48 hours, would significantly boost the security of the system, help attract more users, and protect the people that right now have keys that could steal 100s of millions of dollars and thus could become targets of criminals.

Motivation:

Right now the strategist address of a vault can instantly change the strategy to simply send all the funds in the vault to a new address. Users would have no time to react, and there is no additional safeguards beyond having access to the strategist private key - creating considerable risk for the people who control it.

Specification:

Change all strategist addresses to be the governance multisig, and use a timelock contract of 24 or 48 hours - similar to what is used in many other defi projects - for making changes to the strategy of a vault.

A timelock contract should also be used to control the access to any other control points of vaults, so that vault users are given some sort of minimum guaranteed time that they can escape from the vaults if an attack occurs.

Any other external accounts, similar to the strategist account, that have some sort of centralized or authorized access to vaults, strategies, or other aspects of the system that could materially harm users should also be moved to only be under the control of the governance multisig.

For:

• Significantly more security of the vaults
• Greater user confidence and protocol growth
• Less chance of systemic economic and reputational damage to the defi ecosystem

Against:

• Strategy and governance actions that impact vaults would not be able to be implemented as fast

I support this and would even prefer a 72 hour time lock. 3 days seems like a sweet spot between too short and too long…

Motivation is misleading! This is how process really looks like:

• strategist writes new strategy
• multisig checks and approves the strategy (adds to the list approvedStrategies)
• multisig or strategist sets current active strategy to one from approvedStrategies

strategist can never set a strategy that is unapproved but can set a strategy to one approved previously.

ref: https://etherscan.io/address/0x9e65ad11b299ca0abefc2799ddb6314ef2d91080#code

Note: Good example of miscommunication, here. Will add this explanation to (technical) docs.

Ah, this is very reassuring. So can you confirm that there are no other potential “backdoors” or single points of failure of this type, that circumvent the multisig?

I can confirm that described scenario is not the case. If people think there might be other possible “backdoors” / SPOFs happy to clarify how code actually works.

As a side note, time locks can also backfire. Makerdao put in a time lock to prevent whales from stealing funds. A few days later the market tanked and they couldn’t issue a fix with keeper auctions and a bunch of CDPs got screwed.

thx 4 clarifying that

Thanks for the clarification and thank you to @Rune for posting this and getting dicussion on the topic. Very nice