0x Protocol Security Council

Abstract

0x Protocol Security Council serves as a failsafe security measure for 0x Protocol Governance by empowering an elected group with two emergency functions — (1) veto a proposal that passes governance processes and (2) rollback a deployed feature to a previous version. In its mature state, these two functions are designed to have a “one-time” use to minimize the damage that a malicious group could do and avoid Denial of Service (DoS) risks.

unbundling_progress_security2802×368 58 KB

Context

The end state for 0x Protocol Governance is a fully on-chain binding governance system — one that truly transitions the power over 0x Protocol over to its stakeholders. A recent governance forum post proposes a technical implementation for an on-chain governance system that will allow all small contracts associated with 0x such as the treasury, the protocol, and governance itself, to be subject to change via on-chain binding proposals.

Given the adversarial environment that blockchain is, transitioning to the phase of governance means that new security measures are required that can serve as a failsafe to prevent a malicious governance proposal from compromising the protocol. As Nikita put in the post introducing the 0x DAO, “the path to the decentralization of 0x is composed of several technical milestones, both accompanying and requiring a parallel evolution of the 0x community.”

To this end, a more accountable community needs to evolve to be able to support this transition — this post proposes the formation of the 0x Protocol Security Council to serve as that failsafe and the following sections will describe its makeup, its functionality, and how it’ll operate.

What is the 0x Protocol Security Council

In short, the 0x Protocol Security Council is a small elected body tasked with overseeing the system of smart contracts that jointly make up 0x Protocol and its treasury for any potential security concerns and acting when necessary to ensure its proper function.

We propose that the future state of the 0x Protocol Security Council is empowered to serve this role by possessing two one-time use emergency functions (1) veto a proposal that passes governance processes and (2) rollback a deployed feature to a previous version. We’ll breakdown why these two functions and why “one-time” are necessary.

The two emergency functions — veto and rollback — are purposefully high impact actions to match the high risk situations that would warrant their use. The goal is to give the 0x Protocol Security Council the proper tools to serve as a failsafe if sh*t hits the fan. We believe that these two actions strikes the appropriate balance between providing meaningful temporary measures to address any security vulnerabilities that may arise and ensuring that 0x Protocol is unstoppable.

The two emergency functions being “one-time” use means that once a security council decides to use one of those emergency functions, its members are immediately relieved of their position, and a new council is elected. This design is meant to minimize the harm that a malicious 0x Protocol Security Council can do to the protocol — explicitly stated, a malicious council can only delay governance by 1 cycle (i.e. on-chain voting period + timelock + deployment). For the election of a new council, parties that previously served on the security council are eligible for re-election which allows good actors to continue to serve in this critical role and an accountable community to prevent malicious actors from being in that position of power again.

Because of the security critical role that the 0x Protocol Security Council serves, we propose that if there is no security council assigned, no new on-chain proposals can be created or executed besides assigning a new security council. However, this would not affect voting on active proposals, meaning that voting can happen regardless of if a security council is assigned or not.

For the initial version of the 0x Protocol Security Council, we believe that optimizing for security right off the bat is most important. As such, the one-time use will be a future feature when the new governance system stabilizes and as a community, we feel that this role can be decentralized without any major security risks.

Expectations

0x Protocol Security Council serve a critical role in the proper functioning of 0x Protocol — they serve as the failsafe to a fully on-chain governance system.

While what’s needed to properly serve on the security council will likely change as the system of smart contracts that make up 0x evolve, they are expected to fulfill the following core responsibilities:

1. Possess a deep fundamental understanding of the system of smart contracts that make up 0x - the treasury, protocol, and governance.
2. Promptly respond to any security concerns that are surfaced publicly or privately via the bug bounty program or otherwise.
3. Provide a post mortem if an emergency function is used.
4. Promote 0x Protocol’s values as defined in the Constitution and Code of Conduct by setting a positive example for the general public.

Selection Process

Inaugural 0x Protocol Security Council

Serving on the 0x Protocol Security Council is a very serious undertaking that requires deep technical knowledge of the broader blockchain space and of 0x specifically. To this end, in order to ensure the highest standard of security for the protocol, we propose that the Inaugural 0x Protocol Security Council is comprised of members that are carefully selected by 0x Labs.

The hope is that 0x Protocol continues to be a secure protocol and as such, the security council will not need to invoke its limited but serious emergency power. Historically, since 0x V1’s introduction, there has only been one time where an emergency function like what is proposed here has been used: this happened in July 2019 where a vulnerability in 0x V2 could’ve led to the loss of user funds.

To set the foundation for the future decentralization of the Security Council, we propose the following election process.

Application (for future Security Council Member elections)

In order to be eligible to be surfaced in the Governance Portal as a candidate for the 0x Protocol Security Council, candidates should review the current working draft of the 0x Protocol Constitution and 0x Protocol Security Council Code of Conduct and reply to this forum thread using the following template. Please leave the prompts intact and answer on the same line.

To avoid impersonation, delegates should either (1) create a profile using Tally with Twitter and the Ethereum address submitted on this form or (2) post a tweet that links to your delegate submission and edit your submission to include the link to the tweet.

(Team) Name:
Address or ENS:
Discord username:
I have read and agree to the 0x Protocol Security Council Code of Conduct:
My skills and areas of expertise (as related to security):
My process for evaluating security reports and decision making:
Conflicts of Interests:

Applications will happen on a rolling basis and populate a growing directory of registered candidates — this directory is what will be used to pull candidates when an election needs to occur. Known malicious actors and spam applications will be compiled in a publicly viewable database that will be used as a filter in the Governance Portal UI.

Election

We propose a two step process to elect security councils:

1. Off-chain but open-sourced ranked pair voting
2. On-chain simple poll to confirm the winners of the off-chain vote.

We believe that an off-chain component is necessary in the election process as the limited computational capacity available on chain would make it technically too complicated and economically expensive to achieve solely on-chain.

At a high level, the goal of the off-chain vote is to narrow the full list of registered candidates to a smaller subset that can be reasonably voted upon on-chain and the goal of the on-chain vote is to formally assign a security council.

We propose that the off-chain election is done via ranked pair voting mechanism because while it is more complicated to implement, it guarantees that the winning candidates are those that are preferred by more voters than any other. We believe that the two properties described are desirable for a role as complex and important as the Security Council.

The winning members of the off-chain election would then create a multisig and a formal on-chain vote would assign that multisig as the security council in the governor contract.

Conclusion

The transition to a fully on-chain binding mechanism for 0x protocol requires the support of multiple security mechanisms. This forum post introduces the concept of the 0x Protocol Security Council to serve as a security failsafe. In it’s mature state, this elected group has two one-time use emergency functions — veto an active proposal and rollback a deployed feature to a previous version — that’ll allow a benevolent group to safeguard 0x while limiting a malicious group from delaying proper governance by just one cycle.

(Team) Name: Gabriele Rigo, Rigoblock
Address or ENS: 0x080f08076e8EAdC66006C3CbFEd28a34918A1fA6
Discord username: gabrigo | RigoBlock#6195
I have read and agree to the 0x Protocol Security Council Code of Conduct: Yes
My skills and areas of expertise (as related to security): Smart contracts development and testing; member of 0xEVE and signer of 0xEVE grants; 0x bootstrap delegate. I have known 0x since its inception, having built the first protocol<>protocol bridge on a fork of 0x in 2018 (the fork was necessary as 0x did not allow swapping tokens for smart contracts in its early days). I have a deep understanding of the 0x smart contracts, including the protocol, the staking system and the governance contracts. I have been actively providing feedback on the ongoing governance smart contracts as can be seen in this thred. I have been managing substantial amount of assets on-chain and used to be a pretty active liquidity provider on the 0x open orderbook.
My process for evaluating security reports and decision making: modular, well structured, well documented and fully tested code should be the basis of any serious project. I value transparency and low-profile overall. I believe information should be shared as transparently as possible and by taking care of the interests of the community first. In the context of decentralized governance, I believe a broad consensus should be reached off-chain before proceeding with the on-chain vote. In this context, I believe blockchain storage should be preserved and its usage minimized whenever possible. While I consider myself an innovator and value pushing the boundaries of technology, I also believe it is preferable to setting for a slightly less bleeding edge but more tested framework rather than navigating unchartered waters. In this context, I value re-usage of audited code, and the cooperation that only open-source code can produce.
Conflicts of Interests: I am one of the community delegates, which gives me voting power in the ZRX governance. I will abstain for using my voting power to vote for my application. Also, I am a member of 0xEVE, which is not a conflicting position. I am the founder of Rigoblock, a protocol for on-chain asset management which is complementary to 0x, not a competitor or in a conflict of interest position.

Name: Patrick
Address or ENS: 0x628A1E8143133aC5f26b920797649b21585F72F6
Discord username: Patrick B
I have read and agree to the 0x Protocol Security Council Code of Conduct: Yes, I agree to follow the 0x Protocol Security Council Code of Conduct.
My skills and areas of expertise (as related to security): I hold a Multimedia degree, which is the study of new media theory and media within its various forms from conception until today’s present time within its current evolved form in relation to its sociological (macro) impact. Precoursary skill sets used for psychological operations development (psyop). I have consulting experience within framework development, GUI development, and extensive team building and training of individuals to meet desired operational skill sets geared towards psychological performance development. My experience has led me to develop a strong analytical discerning perspective which aids in compiling a host of working variable relationships in correlation with the three dimensional creative process which is critical in advancing a concept towards its working form in relation to a users’ interfacing experience. I have been interested in the cryptography space since 2017 and passionately interested within the 0x Protocol project since 2018. I have been an active brainstorming community member and my most recent activity focus of interest has been involved with drafting the 0x Constitution which can be found here on the following thread.
My process for evaluating security reports and decision making: I enjoy employing a comparative and contrasting methodology of discernment with emphasis on brainstorming group think to better harness the hive mind potential. Comparative and contrasting exercises stem from extensive enjoyment of research to develop the needed vantage point perspective to assist in better understanding all the working variables at hand which are compiled towards the decisions making process with hive mind collaborative group-think emphasis. I believe in open transparency, collective brainstorming, extensive auditing, team building, and rich debate.
Conflicts of Interests: I do not hold any conflicts of interest.

I am trying to understand here the process, so for now, at beginning 0x Labs members will be the council and others can apply also to be part of the Council?

As this is a highly technical required role, should be this done by open voting or by others dedicated council members?

Is there a timeline for council members apply or this will be a continous applying process.

BTW, I am interested on being part of the council, but, speaking by myself, I understand more the usage of the smart contracts, and some contracts that I use. But other parts of the 0x architeture I still need to investigate. How, a potential candidate nows that it fits to be part of the council?

hey @JoaoCampos89 thanks for the questions.

Yes, for the first security council, 0x Labs will be selecting the members of it to ensure that it consists of people with the level of contextual and technical knowledge around 0x Protocol to properly safeguard it.

We would like for this role to eventually be decentralized as well - as such, people are free to apply to be part of the Council (thanks Gabrigio and Patrick for their interest and applying already ). There is no timeline and we envision it to be a continuous process that’ll result in a list of candidates to consider in the event that a new security council needs to be elected.

Agree that this is a highly technical role but for the spirit of decentralization and to limit the harm that a malicious security council can do, we think that open voting is a suitable mechanism.

I’m not sure I totally understand your last question - could you rephrase?

The last question is more how a potential council member members knows that attend the requirements demanded by 0x council, or that is ditacted by the voting mechanism?

If I’m understanding the question properly of how do we make sure that members of the security council sufficiently knows the whole architecture of 0x Protocol to be able to serve the role, I think that’s where the open application and voting process should step in as a good filter.