Constitutional AIP - Security Council Improvement Proposal

This proposal was co-authored by the L2BEAT governance and research teams.

Abstract

This AIP seeks to propose changes to the structure of the security council so Arbitrum can maintain the “Stage 1” designation as per L2BEAT and not fall back to “Stage 0” designation.

Motivation

On December 7, L2BEAT published an update to the security council requirements for the Stages Framework. The requirements were updated after a lot of research and feedback to make Stages more formal and precise.

Rationale

Upgrading the security council as per the Stage 1 requirements set by L2BEAT, will help ensure Arbitrum remains decentralized, but properly secured. See ‘Specifications’ for more details.

Key Terms

Stages: A framework, inspired by Vitalik’s proposed milestones, that categorises rollups into three distinct stages based on their reliance on these training wheels. You can learn more about the Stages framework here.

Security Council: A group of 12 individuals who are responsible for addressing risks to the Arbitrum ecosystem through the selective application of emergency actions and non-emergency actions. Learn more in the ArbitrumDAO Docs.

Timelock: Smart contracts which implement a delay between an upgrade confirmation and execution.

Exit Window: The actual time users have to exit the system in case of an unwanted upgrade.

Specifications

Arbitrum currently has two multisigs and they both contain the same set of members:

a) A 9/12 multisig with instant upgrade power

b) A 7/12 multisig that can upgrade with a 3+7+3 days delay

While the higher threshold multisig can be classified as a Security Council, the lower one is below the minimum threshold and it’s considered a simple multisig according to the Stages framework introduced above.

For normal multisigs, L2BEAT requires at least a 7 days exit window for users. The current exit window for Arbitrum is 2 days (see this thread for a quick explanation).

Moreover, the higher threshold multisig is supposed to stop malicious upgrades attempted by the lower threshold multisig. However, since the member set is the same, if the lower threshold agrees on something there are not enough members in the higher threshold to stop them, which means that the actual security of the upgradeability mechanism boils down to the 7/12 threshold.

For the above reason, technically, with the updated requirements for Stages, Arbitrum falls back to the Stage 0 designation. Since we know that it takes time to upgrade Arbitrum, we decided to leave the Stage 1 designation with the promise of addressing the above issues in a timely manner. This proposal is about addressing the issues and moving them to be voted on by the DAO.

Proposed Solutions

1. The first solution would be to remove the lower threshold (7/12) multisig entirely. This can be done in two ways:

• The contract is removed which requires an on-chain upgrade, or,
• The lower threshold multisig increases its threshold from 7/12 to 9/12 which requires no upgrade.
   
  Increasing the threshold gives us the flexibility to restore a lower threshold in the future should the need arise, and it’s also a very quick and easy fix since it doesn’t require an on-chain upgrade.
   
  On the other hand, removing the dependency on the lower threshold mutlisig for all the contracts in Arbitrum is a broad and potentially risky change. Therefore we suggest raising the threshold for the time being and revisiting the removal of all the dependencies at a later date if needed.

2. The second solution would be to leave the lower threshold multisig as it is, but to increase the exit window to 7 days. In practice, this involves increasing the L2 timelock delay from 3 days to 8 days, since there is a 1 day max delay to force transactions on Arbitrum via L1 using the ‘DelayedInbox’. Increasing the L1 Timelock would not be very beneficial due to delay attacks on the fraud proof systems, since, even with BoLD, the challenge period would end up being up to 16 days.

3. The third solution, which is not strictly required by the Stages Framework for the Stage 1 designation, is to both remove the lower threshold multisig entirely and increase the L2 Timelock delay so users have more time to exit in case of unwanted upgrades, increasing the security of the system even more.

Steps to Implement

Following a week of discussion of this RFC, the proposal will go for a vote on Snapshot with the following 4 options (as they are or slightly adjusted), and/or any additional ones, should they arise from the discussion during the RFC phase:

1. Increase the threshold from 7/12 to 9/12.
2. Increase the L2 timelock delay from 3 days to 8 days.
3. Increase the threshold and the L2 timelock delay.
4. Make no changes.

Following the temp-check, if any of the aforementioned options apart from No.4 is the most popular, the proposal will move to on-chain vote to execute the proposal.

Overall Cost

There’s no overhead to the DAO for the implementation of this proposal.

Timeline

RFC - January 11th to January 18th

Snapshot - January 18th to January 25th

On-Chain Vote: January 30th to February 13th

Execution Delay:

• February 13th to February 16th - L2 Waiting Period
• February 16th to February 23rd - L2-to-L1 Message
• February 23rd to February 27th - L1 Waiting Period

Please note the aforementioned timeline is tentative and the actual timeline might be slightly different.

Thanks L2Beat!

Technical Considerations

Here are governance action contracts for the 3 potential changes discussed in the post (note that as of posting this, contracts are not yet audited; including here for demonstration purposes):

1a: Increase non-emergency SC threshold

1b: Disable the on-emergency SC

2. Increase L2 timelock delay

We believe the implementations of all three changes are equally trivial from a technical perspective, and thus the relative technical complexity of the upgrades shouldn’t be an important factor when considering the options.

Additionally, re 1a, the proposal reads:

Increasing the threshold gives us the flexibility to restore a lower threshold in the future should the need arise, and it’s also a very quick and easy fix since it doesn’t require an on-chain upgrade.

As the implementation linked above demonstrates, changing the non-emergency security council’s threshold can be carried out entirely via DAO vote, and does not require a security council action (in this way, this is no different than any other governance action).

General Thoughts

We at Offchain Labs see little downside to increasing the non-emergency Security Council’s threshold; this increases the barrier to submitting non-emergency proposals, but we see this as a positive.

Since this is the most modest protocol change of the ones suggested (1b removes the ability for the council to put forth non-emergency upgrades at all, and 2 adds five additional days to the time it takes proposals to finalize), we lean toward option one. Curious to see what others think!

Thanks @dzack23 for your explanation! It’s good to hear that both all three changes discussed in the post are trivial!

We’ve moved to Snapshot vote according to the plan. We hope to get some delegates attention and feedback on this proposal.

After carefully reviewing the proposal and considering the comments from @dzack23, we believe that option 1 is the most appropriate.

We consider this approach essential, as the Security Council is a crucial component for Arbitrum. Therefore, we would like to propose the inclusion of some sort of Emergency Response Drills for the Security Council. This idea aims to allow the DAO to empirically assess the Council’s response times in various emergency scenarios. These drills should be carried out 2 to 4 times a year, at random times during this period.

Broadly speaking, the idea is to define certain response parameters that the DAO expects to be satisfactorily met by the Security Council, including response time, number of signatories, among other aspects.

It is likely that the members of the Security Council maintain a private group with the Arbitrum Foundation and OffchainLabs. However, from the DAO’s perspective, we do not have, nor should have, visibility of this. The role of governance should be to ensure that the Council fulfills its role through these drills, especially considering that the DAO’s governance selects the security council members. This approach is not intended to add bureaucracy but rather to enhance security in the rollup with the highest TVL and activity in the ecosystem.

What are your thoughts?

Savvy DAO is voting to Increase the threshold to 9/12.

We thank @Sinkas and @krst for all their work developing this proposal.

I will be voting to increase the multisig to 9/12. This looks to be the quickest and least intrusive way to achieve the goal, so feels like a no brainer given the context.

As the Curia team, after reviewing the Security Council Improvement Proposal and @dzack23 's comment on the Arbitrum forum, we have decided to support the increase of the non-emergency Security Council threshold from 7/12 to 9/12. This decision is driven by our commitment to enhancing network security, aligning with community preferences, and maintaining some degree of decentralization.

After consideration Treasure’s Arbitrum Representative Council (ARC) would like to share the following feedback on the proposal.

We want to thank L2Beat for taking the initiative to address this important topic of security. After discussion we open to support the proposal to increase the threshold to 9/12.

We feel that this option provides the cleanest and clearest “win-win” security benefit for Arbitrum which does not also impact the timeline of an already long governance process.

Edit: Due to operational issues we were not able to submit our vote on Snapshot. We will make an intentional commitment to support this proposal on Tally.

The below response reflects the views of L2BEAT’s governance team, composed of @krst and @Sinkas, and it’s based on the combined research, fact-checking and ideation of the two.

Even though this is our own proposal, we don’t see any conflict of interest in voting on it, so we’ll vote as well.

We vote for both options - increasing the threshold and increasing the delay. We find both solutions valuable in terms of increasing the security of the chain. While we understand the concerns regarding increasing the delay, as it will delay all votes by an additional 5 days, we believe that increasing the exit window for user funds is a significant and meaningful value-add in the event of an emergency.

Thanks to L2B for putting this forward. Upon consideration, I just voted to increase the threshold from 7/12 to 9/12, since it would be quicker to implement than both at the same time, a good way to start.

@juanbug and I have posted our perspective below on behalf of the Uniswap DAO’s Arbitrum governance team.

Update on the proposal and the timeline:
The temp-check was successful and the most voted option was to increase the small security council threshold from 7/12 to 9/12.
We’re working with the Foundation to create the necessary executable code in order to move to an on-chain vote. We will update this thread once the vote has been posted on Tally.

Worth flagging that this proposal should not only update the onchain system to reflect the proposed Security Council thresholds, but should also update the constitution text to reflect the new behavior.
More specifically, Section 3 where the Security Council is described.

implementation of latest changes (consistent with result of snapshot) are WIP here: increase nonemergency security council threshold action by DZGoldman · Pull Request #253 · ArbitrumFoundation/governance · GitHub

The below response reflects the views of L2BEAT’s governance team, composed of @krst and @Sinkas, and it’s based on the combined research, fact-checking and ideation of the two.

First off, we want to thank the DAO for supporting the proposal during the temp-check.

Our initial timeline was based on the time it takes to move a proposal through the governance process, but that didn’t include any external delays. Since the changes outlined in the proposal have to do with the Security Council and its structure, we believe it’s best to approach the implementation with caution. To that end, we’ve been in touch with the Arbitrum Foundation which will help see the execution through by producing the necessary code and having it audited by a security firm. This process is expected to take up to 2 months.

While the code to implement the proposed changes is relatively simple, we want to ensure there are no unwanted implications that could put the security of Arbitrum at risk. We think sacrificing 1 or 2 weeks to have complete peace of mind is worth it.

Having said that, the updated expected timeline is:

• Completion of audit - End of March
• On-chain proposal - Beginning of April
• Implementation - End of April

While the updated timeline is far off from the one included in the original proposal, there’s no material benefit to expediting the process at the expense of security.

We would like to thank the @dzack23 and the Arbitrum Foundation for their support and willingness to work with us on this proposal, and after the entire process is complete, we will publish our lessons learned and the guideline for the DAO on how to proceed with such proposals.

Proposed language for new constitution and respective hash are available in update constitution and docs with new security council non emergency threshold by fredlacs · Pull Request #762 · ArbitrumFoundation/docs · GitHub

The cp0x team voted in favor of this proposal.
We support more secure multisig 9/12

The code has been audited and public report by Chain security is available ChainSecurity_Arbitrum_Foundation_Security_Council_AIP_audit.pdf (437.0 KB)