🛣️

Beanstalk - The Path Forward #6

Date
June 3, 2022
Timestamps

• 0:00 Intro • 0:32 BFP-73 Overview • 2:40 Anonymous signers • 6:05 Summary of discussion • 7:13 How does someone verify that Publius doesn't have all the keys? • 8:42 Who chooses the signers? • 11:56 Rationale of anonymous signers • 15:48 Next steps

Type
The Path Forward

Recordings

Notes

BFP-73 Overview

  • The DAO has approved the plan to relaunch Beanstalk with off-chain governance.
  • BFP-73 lays out the rules for off-chain governance that will be executed by Snapshot vote.
  • In particular, the proposal is to transfer ownership the Beanstalk contract to a new multi-sig wallet.
  • The plan is for a 5 of 9 signature Gnosis Safe wallet.

Anonymous signers

  • The proposal specifies that the signers are all anonymous.
  • The thinking behind that is that the main risk associated with off-chain governance is the potential corruption of a majority of the key holders or keys, and the best way to minimize that risk is for nobody to know who the signers are.
  • That does require some level of trust in Publius to pick the signers.
  • Publius would hold one key, four would be held by Beanstalk Farms contributors, and the rest would be held by reputable community members.

How does someone verify that Publius doesn't have all the keys?

  • That is the current situation. Publius has sole ownership of Beanstalk. They do not want that, and view centralization as one of the biggest risks to Beanstalk. There’s no way to verify it, though.

Who chooses the signers?

  • If they’re anonymous, the goal is to minimize the number of people that know their identity, so the idea is for them to be selected by Publius and then no one else knows.

Rationale of anonymous signers

  • If people are comfortable having pseudonymous people on the wallet, it’s hard to justify how that is better than having anonymous people.
  • Pseudonyms might have some reputation to maintain and they could be real people, but it’s hard to evaluate.
  • If everyone knows who the signers are, somebody can coordinate an attack where they are manipulated or compelled to push malicious code to Beanstalk.

Next steps

  • Likely to be a 24 hour Snapshot prior to the Barn Raise.
  • Unclear what the options for voting should be. Might make sense to allow people to vote in favor of pseudonymous or doxxed signers.

Transcript

okay i'm inviting button phobias up how are you publius doing quite well mod how are you i'm i'm very good i'm doing glad um i think most of most of this discussion is going to be about the new bfp which is uh the multi-sig proposal and that is moving the keys from publius into you know what is what is proposed um published do you want to maybe give a summary of what is that proposal and then we can open it for questions sure so everyone should go read the proposal uh as this this won't be a relatively non-substantive summary but the point is obviously the dao has already approved the plan to relaunch beanstalk with off-chain governance and so what this bfp is doing is laying out the rules for the off-chain governance that will be executed by snapshot vote and in particular this bfp is transferring uh ownership of the uh beanstalk contract to a new multi-stick wallet thinking out loud here it probably should be a bip not a not a bfp um as it's a change to the protocol not a beanstalk farms proposal uh that's just a thought but the concept is that the the rules are being defined for how the community run multi-sig which will be responsible for executing the will of the dao as evidenced through the off-chain governance uh in a as permissionless and trustless fashion as possible so the the plan is for this to be a five of nine uh signature wallet gnosis safe uh originally it'll start as five of eight as the proposal states uh because one of the designers uh needs a little more time to get their setup uh ready so the that's the only that's one detail that's relevant but it seems like based on the discussion in the channel around the uh proposal that the main uh the main question on everyone's mind or or the main topic of discussion uh is whether or not the key holders the signers should be anonymous or pseudonymous or totally doxed and the proposal lays out the in the proposal it specified that the uh signers are all anonymous and the thinking behind that is that the main in our perception the main risk associated with off-chain governance is the potential corruption of a majority of the key holders and or keys and in short the the best thing that can be done to minimize the risk of corruption of the signers is for nobody to know who the signers are and so that does require some some level of trust in publius if that makes sense in this in the sense of well who's going to select the signers so the proposal currently lays out that we publish would select the signers and otherwise nobody would know who the signers are and the proposal lays out that at most there would be four beanstalk farms community members on the wallet uh excuse me beanstalk farm's contributors on the wallet uh publius would hold at most one key uh between the three of us and the rest of the keys would be held by reputable community members and the concept is that the i mean at the end of the day we don't have any problem we'd have to check with all the key holders that they're still comfortable doing it and are comfortable with their pseudonym being made public if you will but we don't have a problem per se with sharing it other than it it does seem to be sub-optimal from a security perspective so this is a topic of discussion that probably should be uh thoroughly discussed but at the end of the day it's these are these are sub-optimal options that we're choosing from and whether or not the key holders are uh known to the community or not uh is it's unclear how substantive of an improvement that will be from a trust perspective now it is worth noting that the the goal here is to have total trustlessness and permissionless and just the fact that we're having this conversation kind of sucks uh but it does need to be had and we do need to collectively decide on a a procedure for selecting diners and you know the i mean the the other question here is let's say that the key holders are known now should there be a selection process for the key holders now does the community get to vote on key holders uh does publish still get to choose the key holders but the community just knows these are all open questions uh on our mind obviously given the barn raises coming up quickly uh the goal would be to have this uh discussion sooner rather than later but obviously uh it's important that that that the necessary time is taken to have this discussion okay um if i was to summarize that and a little bit of what was going through in that channel as well i guess the questions are first of all how do we know uh you know it's not it's not all publius and you know they just said that it's given to others and then the second one would be uh which you just mentioned is you know who selects is it publius that selects or you know do we want to figure out a different way of the selection and then the lastly is that even if we choose people who are like pseudo-anonymous uh and the community knows them what happens if you know something in the future happens again when people come in and be like you know those who were in control were actually like so anonymous how does that look from an optics point of view and maybe we can tackle them one by one and starting with the last one is you know does beanstalk if if the community knows who these people are and these people choose to be uh pseudonymous or you know uh uh not not lay out their identity but but the community knows them and they've been part of the community for a while uh does being so care about the optics or do we more you know we're more objective and we care about you know what uh what does that does that mean to the community itself yeah these are these are really good questions and with regards to the first one on how do we know how does how can people verify that we don't have all the keys uh the concept is that's what currently is the situation publish has sole ownership of beanstalk uh and the this is if we we change this uh to a five of nine multi-sig uh that we still have all the keys to uh that would be in practice no substantive change and then it would just be like you know a facade to create some sort of perceived decentralization where it's not there uh yeah i mean i guess that's an action we could take but it's very hard to justify why that would be a reasonable action to take uh given that centralization is in our perception basically the main risk to being stock at the moment so we don't want to have these keys we don't want to be the owner of beanstalk so it is heavily in our interest to make that the case um so while i recognize there's in theory nothing you can do to verify it uh which is a problem uh the it's very hard to understand the logic behind that although understand the lack of ability to verify makes it uh makes it tough so the the other issue is who who chooses um and in short if they're anonymous then the goal is to minimize who the the number of people that know who they are and therefore the the concept would be to have them selected by publish and then no one else knows and there is a some concern as to if we could be compromised to disclose who the signers were uh you know that that would basically just put us in the same place that we would be and if all the sinus republic except i guess there's a an edge case where we could be compelled to disclose who the signers were and also be compelled to continuously uh refrain from mentioning that we had been compelled to disclose that information to someone and therefore they would have an information advantage over everyone else in trying to corrupt uh beanstalk and that's another risk that needs to be evaluated the the other question that you you highlighted mod is with regards to pseudonyms i think this is where push comes to shove at the end of the day because if the the wallet is going to use if people are comfortable using pseudonymous people on the wallet uh it's very hard from a logical perspective to justify why that is better than having anonymous people now in theory the pseudonyms do have some reputation to maintain and they they could be real people but it's you know hard to evaluate the if people are comfortable with pseudonyms the the relative difference in in people being comfortable with uh anonyms now yeah these are tough questions ultimately we don't i mean it's a very sticky situation frankly and not sure we we have uh the best answers uh to any of these questions as they're just you know crappy crappy situations so uh but the concept is if if we're gonna use pseudonyms which i think is is is makes a lot of sense given the the construct of the beanstalk community where almost everyone is pseudonymous uh it's then the question is well if everyone's pseudonymous well what's the problem of being anonymous now i get there's some there's some additional benefit in being able to verify that the pseudonyms confirm that they have the keys uh and i guess you could try to verify through uh external data that publius is not the pseudonym uh so that's that's true but other than that not sure what the it's i mean it's a very tough uh thing to to analyze the actual costs and benefits of okay can we maybe discuss a little bit about the the rationale behind uh being you know uh anonymous we that that has been laid out in the proposal about you know the potential of corrupting uh the can you can you explain that a little bit you know and what what what's the potential what's the worst case scenario that can happen the worst case scenario is if everyone knows who the signers are uh you know someone coordinates an attack where people with guns or wrenches show up at all the signer's doors and compel them to push militia malicious code to beanstalk great so here we're talking about those people you know once you know them that's like a weakness basically because you know these are the targets and it's it's highlighting who the targets are understood okay um what about other ideas uh that you know uh can be done to do this can it be such as you know like so we're talking about like nine can it be like four you know uh four and four and there's a group of people that only know the four but they don't know the other four and you know vice versa things like that do you think you know are these options explored the way i see it is that it's either whatever whatever choice you choose is going to be somewhere in the spectrum between you know being known or reduxed and anonymous so it's just you know you might make it a little bit less less risky but it's still you know risky towards the the worst case scenario that we just said which is the targets you know you're giving a little bit more information so you're moving more towards that risk or that you know exposure yeah i think the biggest potential issue with this plan as it's laid out is that if nobody knows who the signers are meaning none of the signers know who any of the other sinus are if let's say publius was killed uh or or removed from the situation entirely such that we were unable to take any action or communicate in any way now you have people that have the keys but you could potentially also have people that claim to have the keys and there's some i mean it's pretty easy for people to verify whether they only own the keys or not uh but the concept is there's some potential uh issues there that could exist but i don't think they're particularly likely but it's you know these are all the edge cases that need to get uh talked about or talked out talk through and so maybe there's something to be said for one of the every signer knows who one of the other signers are uh and maybe that sign like people shouldn't have one other it's it's tough it's like should people know who knows them uh and then in that case is it a partner system or is it a chain we're now now it's two-way it's like unclear unclear what the best what the best policy would be okay i think we kind of summarized the proposal and maybe some of the concerns we can we can open now the floor for questions you know and no one can come up and you know let's let's continue this discussion and that can be to share opinions as well even even if you're happy with the plan and you you know you want to share why you think that's the case feel free to do so okay otherwise how does this work now uh publish we're gonna this is gonna when is the snapshot going to go out and how long would people have to vote on it uh i don't know the details on this but i believe i saw somewhere that it was likely gonna be a 24-hour snapshot uh to hopefully be done prior to the the barn race starting uh don't know exactly when it will go live either and uh thinking kind of out loud here uh perhaps the maybe there should just be two op given that the i mean maybe it's it's tough to know what the decision should be for the bfp or the bip uh you know if it should probably be a bit frankly uh and the question is yeah i mean it's tough to know what the what the right thing to do in terms of voting options are should people be able to vote yes or no should people be able to vote yes for the proposal yes but uh pseudonymous signers uh and maybe a third option for yes but doxxed designers like fully doxxed and then a fourth option for no uh that's i don't know i haven't been involved in in in in this process so i don't know what the plan is on that front but it probably should be more than just a yes or no i would think okay that's that's one thing to take into consideration uh in the snapshot but i believe you know it goes without saying that if you don't have options then it's always a no and you wait until you find you know if it's a yes or no and you're not happy with it it's always or no and you can wait until you get something which is much more elegant right so the only issue here is we are a little pressed for time so it would be a little it would be sub-optimal to have the proposal fail and then have another three-day process between those proposals because the hope is to have this transferred uh to the new community multi-sig before the barn race starts but you know if it's a couple days late it's a couple days late yeah that's that's that's fine okay um i think uh if there are no questions uh we can end this call here um and once again um or you know three more days for the boundaries and that will start at 9 00 a.m pacific 12 noon easter thank you everyone for joining i'll see you in the next meeting