Arbitrum daoURI Proposal Security Review

OpenZeppelin, the Security Member of the ARDC, reviewed the Arbitrum daoURI Proposal and its specifications. If enacted, the proposal will publish a daoURI on the Arbitrum One network, creating a single source of truth for all the information about the DAO. No existing contracts will be modified and there will be no transfers of funds from the treasury.

Overview

DAOs often have a large and growing amount of information surrounding them. This information is constantly changing as a result of the proposal process. Consequently, the information is often scattered and quickly becomes out-of-date as time goes on. EIP-4824 has proposed a common standard to create a single source of truth for all information about a given DAO. This information will be on-chain and publicly verifiable, and shall contain the latest aggregation of all data about the DAO.

The API standard proposed by EIP-4824 defines a Uniform Resource Identifier (URI) called the daoURI. It contains a variety of information on the DAO as shown below:

{
    "@context": "http://www.daostar.org/schemas",
    "type": "DAO",
    "name": "<name of the DAO>",
    "description": "<description>",
    "membersURI": "<URI>",
    "proposalsURI": "<URI>",
    "activityLogURI": "<URI>",
    "governanceURI": "<URI>",
    "contractsURI": "<URI>"
}

This information is stored fully on-chain as a string in the JSON format as shown above. Any user can verify the information independently without relying on a third party to accurately report the latest information. Updates to this URI can be performed by permissioned actors after discussions with the community. Furthermore, community members can monitor event emissions for any changes to the URI, so any invalid or unauthorized changes can be easily identified.

This URI contains references to other URIs which, in turn, contain information regarding DAO members, proposals, activity, governance, and the various contracts in the system. The format of these subcomponents follows a similar structure and is detailed below. Not all of the provided fields have to be used and some can be removed from the URI if they are not needed for a specific application.

The URI can also hold arbitrary information beyond what has been shown above. For example, the standard can be extended by including links to specific proposal discussions or dashboards containing additional information about the DAO. These links can be stored on IPFS as well, thereby minimizing the centralization risk arising from a provider going offline.

Motivation

The primary motivation for this proposal is to create a single source of truth for the Arbitrum DAO. Currently, the information about the DAO is scattered across multiple locations and is difficult to find for newcomers or casual participants. This information is also constantly growing and evolving, so any third-party collections of this data quickly become out of date. In addition, relying on third parties to organize and report information on the Arbitrum DAO introduces centralization risk that can result in censorship or misinformation. Changes to this reported information can also be difficult to track or contest when it is stored off-chain.

By storing this information on-chain, a single, up-to-date source of truth is established. This cannot be altered by any third party and can be managed by existing governance with any changes transparently reported. This initiative will lower the barrier of entry to getting involved with the Arbitrum DAO for newcomers by organizing all of the relevant information in a single location. It will also increase accountability since the information is now freely available. Given that the information is stored and published in a single point, the overhead and maintenance efforts associated with publishing and consuming data will also be reduced. All in all, these changes are aligned with the community values of Arbitrum and make the DAO more open, accessible, and inclusive to participants.

Technical Details

No changes have been proposed to existing contracts, nor has any additional spending been requested from the treasury. A new registration contract would be deployed by making a simple contract call to the EIP-4824 Registration Factory. This contact is currently deployed at 0x2Dac5DBbF1D024c1E0D9c92D3AeDa7618e15aDd7 and has previously been utilized by other DAOs such as Unlock protocol, Treasure, and 1inch.

The registration will be done on the Arbitrum One network instead of the Ethereum mainnet. Moreover, the DAO’s governor timelock will be set as the admin which is in charge of setting the trusted managers. The managers are the permissioned entities in charge of updating the URI, and these trusted parties can be determined by discussions with the community. Beyond this contract deployment, the daoURI would need to be created. While a specific implementation has not yet been proposed, it is safe to assume that it would include a description of the DAO, a list of all DAO voters, a list of all proposals (with title, timestamp, status, and discussion links), a link to governance documents, a list of all contracts owned/managed by the DAO, as well as links to various dashboards containing protocol information. All the links will be stored on IPFS. In order to have the daoURI always report the latest information, governance could fully manage it, in which case an on-chain vote would proceed for each upgrade. However, as this may not be feasible, the Arbitrum Foundation could serve as a trusted manager for all future upgrades. DAOstar can also commit to maintaining the daoURI for a year, given an additional cost.

There are inherent trust assumptions behind this proposal as the managers are to be trusted to perform timely and accurate updates to the daoURI. This trust is important since the indexers rely on the data returned by the URI, and in case executable code is returned, the indexers could be tricked into running unrelated tasks. Given the nature of the daoURI for this specific application, the users will only be expecting a particular, fixed response from the URI. The detailed specification for the format and structure of the URI are shown below and the subcomponent URIs have also been included. Not all of the fields are necessary and extensions to this existing data can also be made if desired. The primary security concern pertains to the length of the stored URI. Given that the URI can grow to an arbitrary length, the number of storage slots necessary to read/write or update will continue to grow as time passes. Thus, the gas costs are technically unbounded, resulting in the operation failing if more gas is consumed than what is available within a block. One possible solution is to store each article on IPFS and save the corresponding hash on the blockchain.

daoURI
{
    "@context": "http://www.daostar.org/schemas",
    "type": "DAO",
    "name": "<name of the DAO>",
    "description": "<description>",
    "membersURI": "<URI>",
    "proposalsURI": "<URI>",
    "activityLogURI": "<URI>",
    "governanceURI": "<URI>",
    "contractsURI": "<URI>"
}
membersURI
{
    "@context": "https://www.daostar.org/schemas",
    "type": "DAO",
    "members": [
        {
            "id": "<CAIP-10 address, DID address, or other URI identifier>"
        },
        {
            "id": "<CAIP-10 address, DID address, or other URI identifier>"
        }
    ]
}
proposalsURI
{
    "@context": "https://www.daostar.org/schemas",
    "proposals": [
        {
            "type": "proposal",
            "id": "<proposal ID>",
            "name": "<name or title of proposal>",
            "contentURI": "<URI to content/text of the proposal>",
            "discussionURI": "<URI to discussion or thread for the proposal>",
            "status": "<status of proposal>",
            "calls": [
                {
                    "type": "CallDataEVM",
                    "operation": "<call or delegate call>",
                    "from": "<EthereumAddress>",
                    "to": "<EthereumAddress>",
                    "value": "<value>",
                    "data": "<call data>"
                }
            ]
        }
    ]
}
activityLogURI
{
    "@context": "https://www.daostar.org/schemas",
    "activities": [
        {
            "id": "<activity ID>",
            "type": "activity",
            "proposal": {
                "type": "proposal"
                "id": "<proposal ID>",
            },
            "member": {
                "id": "<CAIP-10 address, DID address, or other URI identifier>"
            }
        } 
    ]
}
contractsURI
{
    "@context": "https://www.daostar.org/schemas",
    "contracts": [
        {
            "id": "<CAIP-10 address, DID address, or other URI identifier>"
            "name": "<name, e.g. Treasury>",
            "description": "<description, e.g. Primary operating treasury for the DAO>"
        },
        {
            "id": "<CAIP-10 address, DID address, or other URI identifier>"
            "name": "<name, e.g. Governance Token>",
            "description": "<description, e.g. ERC20 governance token contract>"
        },
        {
            "id": "<CAIP-10 address, DID address, or other URI identifier>"
            "name": "<name, e.g. Registration Contract>",
            "description": "<description, e.g. ERC-4824 registration contract>"
        }
    ]
}

Conclusion

We found the DAO URI proposal to be a reasonable step towards greater alignment with the community values of Arbitrum. No existing functionality is modified and no additional spend is incurred from the treasury. Additionally, the proposal will organize all the relevant information around the DAO in a single location that can be reliably verified on-chain. This will lower the barrier of entry to getting involved with the Arbitrum DAO for newcomers and casual users, while also increasing accountability as more information about the DAO will be made freely available and accessible. An exact specification has not been proposed for the contents of the URI, though this can be determined through further discussions with the community. In addition to this, the trusted managers in charge of maintaining the URI can also be designated by community discussions at a later date.

6 Likes

Thank you for the review @openzeppelin, @Sinkas!

1 Like