Executive summary
In this proposal, we ask for community support for renouncing the ownership of the osETH & osGNO token contracts from the StakeWise DAO addresses.
For more context on the proposal, please check out our post-mortem of the osToken recovery operation following the Balancer V2 exploit.
Motivation
Current StakeWise DAO ownership of the osETH & osGNO token contracts represents a centralization vector given the existence of an emergency multisig.
osETH contract ownership grants DAO the power to mint and burn osTokens from various addresses on demand (among other things), and while it would be difficult to abuse in a completely decentralized setting, the presence of an emergency multisig creates a dangerous setup for all kinds of attacks, whether through social engineering or outright exploits.
We firmly believe that the emergency multisig must remain in place. However, its role must be to simply prevent malicious DAO transactions from being executed, rather than propose transactions itself.
Hence, all and any DAO ownership of the sensitive components within the StakeWise protocol must be renounced to remove centralization concerns and reduce the number of attack vectors on StakeWise.
Our proposal is to renounce ownership of the osETH token contract and the osGNO token contract by the DAO address (0x144a98cb1CdBb23610501fE6108858D9B7D24934 on Ethereum mainnet and 0x8737f638e9af54e89ed9e1234dbc68b115cd169e on Gnosis Chain), leaving StakeWise DAO (and hence the emergency multisig) only with the ability to add new Vault Factories i.e. new versions of Vaults to the VaultsRegistry contract.
This action will remove the sole centralization vector that we are aware of that is still present within StakeWise. For those in doubt, we invite external parties to independently verify this claim.
Specification
Call renounceOwnership function on the osETH and osGNO contracts from the DAO addresses on Ethereum and Gnosis Chain, respectively.
Considerations
Renouncing contract ownership will leave the DAO without ability to set new controllers for osETH and osGNO, effectively capping osToken development path here.
We believe that the security benefits of doing so outweigh the loss of additional flexibility on Ethereum mainnet; however, on Gnosis Chain the trade-off looks worse.
osGNO is yet to be included into Aave, which means Boost has not yet been enabled on Gnosis Chain, and a controller role has not been granted to the Boost contract. Renouncing osGNO ownership now would make the deployment of Boost in its current implementation impossible on Gnosis Chain, delaying its introduction for several months at least.
In light of this, we suggest renouncing osGNO contract ownership only after Boost has been deployed on Gnosis Chain.
Discussion
We welcome all comments, questions, and opinions on the subject of removing this centralization vector from the protocol for good.
For additional commentary, please see our post mortem on the recovery of funds stolen in the Balancer V2 exploit on X.