Emergency Spell for Emergency Shutdown Governance Vulnerability - March 24, 2023
The Governance Facilitator(s) and the Protocol Engineering Core Unit have placed an executive proposal into the voting system. MKR Holders should vote for this proposal if they support the following alterations to the Maker Protocol.
If you are new to voting in the Maker Protocol, please see the voting guide to learn how voting works.
Executive Summary
If this executive proposal passes, the following changes will occur within the Maker Protocol:
- The Emergency Shutdown Module will be able to remove Governance’s authority on the MCD_JOIN_CRVV1ETHSTETH_A, MCD_CROPPER, and CHANGELOG contracts.
Voting for this executive proposal will place your MKR in support of the changes and additions outlined above.
Unless otherwise noted, the changes and additions listed above are subject to the GSM Pause Delay. This means that if this executive proposal passes, the changes and additions listed above will only become active in the Maker Protocol after the GSM Pause Delay has expired. The GSM Pause Delay is currently set to 16 hours.
If this executive proposal does not pass within 30 days, then it will expire and can no longer have any effect on the Maker Protocol.
Proposal Details
Emergency Shutdown Module Changes
Based on this recommendation from the Protocol Engineering Core Unit, the Emergency Shutdown Module will be able to remove Governance’s authority over the following contracts, if this executive proposal passes.
Specifically, this means that after shutdown is triggered, it will be possible to permissionlessly de-authorize the GSM pause proxy from these contracts. This will need to be done within the GSM delay. It is a pattern in use for a number of other contracts already.
Affected Contracts
This contract is authorized on the Vat and uses an upgradability pattern, so it could be upgraded post-shutdown to steal collateral.
This contract is upgradable and authorized on MCD_JOIN_CRVV1ETHSTETH_A, so it could be used to upgrade that contract post-shutdown and execute the attack mentioned above.
While there is no known danger to the core system from this contract after shutdown, it is being included because external integrations may be depending on it in unsafe ways, and knowing it cannot be corrupted may be useful for future tooling built around Emergency Shutdown.
Emergency Response
This spell was organized under MIP24: Emergency Response. The GovAlpha Core Unit confirmed the emergency here. Please review the relevant threads before placing your MKR in support of this executive.
Review
Community debate on these topics can be found on the MakerDAO Governance forum. Please review any linked threads to inform your position before voting.
Additionally, these changes may have been discussed further in recent Governance calls. Video for these calls is available to review.
Resources
Additional information about the Governance process can be found in the Maker Operational Manual.
To participate in future Governance calls, please join us every Thursday at 17:00 UTC.
To add current and upcoming votes to your calendar, please see the MakerDAO Governance Calendar.