Emergency Response Team

The main goal of the NuCypher DAO is to give the community of stakers governance over the NuCypher Network. This tangibly means that the DAO becomes the ultimate authority over the network contracts. This is decentralization at its best, and we at NuCypher are very proud of it.

However, this level of decentralization comes at a price: it implies that, in the absence of other mechanisms, all upgrades to the contracts will have a delay of several days or even weeks because of the default DAO proposal validation process – see this thread where we discuss the fixed duration of the proposal validation period. If a proposal fails to gain majority acceptance at the first time of asking, this can set the upgrade back even further. Delays can be extremely risky when there’s an emergency situation that needs to be addressed via a proposal and contract upgrade.

Emergencies refer to any type of vulnerability that can be exploited by an attacker to disrupt the operation of the network (e.g., drain pending rewards, damage the state of a contract, etc), or that affect stakers (e.g., seize tokens from their stakes) or network users (e.g. holding stakers hostage via their rewards/collateral and forcing them to ignore re-encryption requests). With an ordinary proposal validation process, attackers have a known duration to keep exploiting the vulnerability, or in case that there wasn’t an attack yet, it gives them information on how to exploit it. Clearly, this is an unacceptable approach for dealing with these situations.

Our proposed solution is to formalize a secondary procedure to upgrade the network contracts in case of such emergencies. This procedure is what we call the “Emergency Track”, and will be performed by an “Emergency Response Team” (ERT). This team is formed by a group of community members who commit to facilitate the approval of urgent proposals that resolve emergency situations with network contracts. This approach is very similar to the ones followed by other DAOs, for example, by using multisigs.

It’s very important to note that the ERT will only have authority over the DAO Agent that owns the contracts, i.e., the ERT can perform upgrades to the contracts, but can’t change any DAO configuration or parameter; only the community as a whole can do the latter, through an ordinary proposal. In other words, the ERT could fix a bug affecting, for example, the distribution of fees, but it could not remove the requirement for general contract upgrades to be approved by a majority, nor transfer ownership of the network contracts.

Another aspect worth mentioning is that the Emergency Track is only intended to be used in case of emergencies, obviously, which means that the ordinary track continues to be the standard mechanism to update the network contracts.

Key aspects of the ERT

Formation of the ERT:

  • The ERT is to be composed of 3 members, and 2 out of 3 are required to enact any action.
  • The ERT members are to be appointed by the community of stakers through a regular proposal in the DAO.
  • Once the ERT is formed, its composition is subject to change by the community of stakers through a regular proposal as well.

If an emergency upgrade proposal is presented, the ERT must:

  • Coordinate amongst its members to diligently examine the proposal and approve it if it resolves an emergency situation.
  • Reject the proposal if it’s not deemed an emergency or if the proposal is flawed.

After a successful upgrade performed by the ERT, they must:

  • Provide the source code of the new contract implementation, and show indisputable evidence that the upgraded code matches the bytecode in the blockchain (e.g., by validating the source code in Etherscan).
  • After each upgrade, the ERT must set up a ratifying proposal where stakers can approve or reject the upgrade. In case the ratifying proposal fails, the ERT must roll back the changes to the affected contracts.

Proposed plan for the ERT and NuCypher DAO

The “pre-DAO proposal” I’m making here – which, by the way, it’s not a “formal” proposal as the DAO will only go live once the network is launched – has several implications. First, the DAO will control the contracts from day one, along with a preliminary, temporary ERT composed of community members appointed via an informal process. Once the network has launched, a formal proposal to replace the temporary ERT can be made via the standard DAO proposal track, if desired. The temporary ERT exists solely to ensure the transfer of ownership can safely occur at network launch. If the first ERT composition was subject to the standard DAO validation process, there would be a vulnerable period in which an attack could not be addressed until formal proposal validation(s) are complete – likely to be 10-20 days. Hence, the temporary ERT is a safeguard, and they will only be called into action if a major emergency occurs before the long-term ERT is collectively formed.

This pre-DAO proposal comprises the following steps:

  1. Start a public discussion here where we can gather feedback from our staking community.
  2. Gather a reasonable consensus around the ERT idea, so we can proceed with an ordinary proposal to the DAO for establishing a concrete composition of the ERT. If the feedback from the community brings us into a different direction, we can still change the emergency process later.
  3. Launch the NuCypher network with a DAO and a preliminary ERT that can be replaced via the standard DAO proposal track.

Update on the Emergency Response Team

During the first hours after activation of the NuCypher network, our team deployed and configured the NuCypher DAO (https://client.aragon.org/#/nucypherdao). This is a critical step towards complete decentralization of the network and to fully empowering the community of stakers.

As discussed in above in this thread, it’s necessary to have a fail-safe mechanism to quickly fix critical vulnerabilities in the network contracts. The NuCypher DAO achieves this by having a designated group that is capable of reacting in such situations, called the NuCypher Emergency Response Team (NuERT).

The preliminary composition of the NuERT is the following:

  • MacLane Wilkison (0x33DFfDc00B6E087b74687F342612bFe6492F45a7)
  • David Núñez (0x093670106724d5B1739bD96A1db2c8Ed2B5c759B)
  • John Pacific (0x68B8474e19dee11A6ee2D3CA05704C6B7F2cD273)
  • Michael Egorov (0xFe45baf0F18c207152A807c1b05926583CFE2e4b)

You can verify these addresses in the NuCypher DAO user interface (https://client.aragon.org/#/nucypherdao/0xf086b8e0f75484e854d4de37b655312c3d567904/)

To ensure that the system works and the DAO configuration was in order, we performed a couple of proposals and we verified that they worked correctly. At this point we can assert that the NuCypher network contracts are no longer owned by the deployer account but by the DAO Agent (0xb6bff48574b722f3bff0c29c9e1b631dd19c1a93). You can independently verify this using the contracts’ public API.

It’s worth mentioning that the NuERT will always be subordinate to the community of stakers, who can send a proposal to the DAO to modify its composition or remove it entirely. The NuERT doesn’t have the capability to alter its own composition, nor to modify any DAO configuration.