Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CPS-0006? | Governance Security #491

Closed
Closed
Changes from 26 commits
Commits
Show all changes
31 commits
Select commit Hold shift + click to select a range
3ee04b5
Initial commit for governance security CIP
rickymac68 Mar 27, 2023
a2b1536
Fixing YAML format
rickymac68 Mar 27, 2023
10dcc0d
Updated the Authors
rickymac68 Mar 27, 2023
ebed65b
Updated the discussion link
rickymac68 Mar 27, 2023
a2c3078
Corrected typos
rickymac68 Mar 27, 2023
9227d45
Added Threat number 1 to the Specification section.
rickymac68 Mar 27, 2023
13aecec
Added List of Governance Threats for Public Review
rickymac68 Mar 27, 2023
94c5fdb
Remove brackets
rickymac68 Mar 28, 2023
c1af66d
Simplified the abstract
rickymac68 Mar 28, 2023
20cd040
Corrections to line 28&29
rickymac68 Mar 28, 2023
7bb9ed2
Change type of Document from CIP to CPS
rickymac68 Mar 28, 2023
5d671d2
Correct Abstract section to H2
rickymac68 Mar 28, 2023
10d7879
Change Specification to Goals
rickymac68 Mar 28, 2023
4d88078
Correct description of CPS intent
rickymac68 Mar 28, 2023
3ff035a
Correct hyphenation
rickymac68 Mar 28, 2023
1fee210
multiple corrections to typos
rickymac68 Mar 28, 2023
7e2dcb4
Demote sections to H2
rickymac68 Mar 28, 2023
c75a650
Demote to H2
rickymac68 Mar 28, 2023
476e9f3
Governance Security CPS
rickymac68 Mar 29, 2023
8d11ff6
Delete README.md
rickymac68 Mar 29, 2023
e945a48
Added new link to discussions
rickymac68 Mar 29, 2023
a42ccb8
H1 tiles not included in CIP/CPS markup
rphair Apr 4, 2023
d8947c0
single ? called for in CIP-0001 + helps our scrapers
rphair Apr 4, 2023
34b2be0
Merge branch 'cardano-foundation:master' into Governance-Security
rickymac68 Apr 4, 2023
5c6090d
Comments accepted
rickymac68 Apr 4, 2023
3df05bc
Changed Category and Updated Format
rickymac68 Apr 5, 2023
8c42fc1
Section 2 Recommendations
rickymac68 Apr 5, 2023
de50fca
Added Governance Change Recs
rickymac68 Apr 5, 2023
666074c
Added #26
rickymac68 Apr 6, 2023
4506b9d
changed category from Meta to Ledger
rphair Jun 11, 2023
d531ddf
assigned CPS number
rphair Jun 11, 2023
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
172 changes: 172 additions & 0 deletions CPS-?/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,172 @@
---
CPS: ?
rphair marked this conversation as resolved.
Show resolved Hide resolved
Title: Cardano Governance Security
Category: Meta
rphair marked this conversation as resolved.
Show resolved Hide resolved
Status: Open
Authors:
- Richard McCracken <rickymac68@icloud.com>
- Andrew Westberg <andrewwestberg@gmail.com>
Proposed Solutions: N/A
Discussions:
- https://github.com/cardano-foundation/CIPs/pull/490
- https://github.com/cardano-foundation/CIPs/pull/491
Created: 2023-03-28
---


## Abstract

As Cardano's community-led governance system goes live, it's crucial to address the security of the governance mechanism in a way that informs all participants of potential weaknesses and how to mitigate them. The guidelines provided in the CIP are relevant to various groups, including Constitutional Committee members, Delegation Representatives, Stake Pool Operators, voters, and all Ada holders. Moreover, the guidelines are applicable to wallet, dApp, and infrastructure developers to help them build situational awareness and design governance security considerations into their development processes.
rickymac68 marked this conversation as resolved.
Show resolved Hide resolved

These recommendations are the result of a collaborative effort among cybersecurity, financial, and game theory experts, as well as participants of the Voltaire workshop, including developers, stake pool operators, representatives from IOG, Cardano Foundation, and Emurgo, members of Project Catalyst, and members of the Cardano community.


## Problem

The Cardano community's on-chain governance mechanism, Voltaire, is susceptible to various types of attacks that may compromise its security. This system defines on-chain decision-making that is automatically executed when a certain threshold of approval by human actors is met. To ensure maximum awareness of potential threats and vulnerabilities, this document will enumerate and describe each threat or vulnerability, including recommended mitigation techniques. It is crucial that all stakeholders, including voters, developers, and governance actors, are informed of these risks to identify and prevent any damage or, in the case of a threat event, facilitate recovery.

In rare instances, a threat may be identified that requires responsible reporting procedures to prevent exposing an active vulnerability to bad actors seeking to exploit it. In such cases, it is essential to notify the appropriate group or entity with the ressources, or are responsible for mitigating the threat in a confidential manner.

### #1: Unknown software vulnerability affecting governance is discovered.

An assumption is that are no known software back doors. Unknown software vulnerabilities may be discovered.

**Recommendation:** The person discovering the vulnerability should take the following steps:
* Document the vulnerability: The first step is to document the vulnerability as accurately as possible. This documentation should include a detailed description of the vulnerability, steps to reproduce it, and any other relevant information.
* Notify the relevant parties: The next step is to notify the appropriate parties, including the developers of the software, the blockchain community, and any relevant authorities. It's important to provide as much information as possible, so that the parties involved can understand the scope of the vulnerability and take the necessary steps to address it.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The "relevant parties" should (must?) be voted on by the community. The contact detail data could (must?) be stored on chain.

* Keep the vulnerability confidential: It's important to keep the vulnerability confidential until a fix has been implemented. This will prevent hackers from exploiting the vulnerability before it's patched.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A tiered bug bounty rewards program can be employed to recompense those who articulate meaningful corrections required to reverse/repair a potential vulnerability. A treasury may need to be formed to fund this specific activity, releasing those proposed rewards by a committee vote.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok Chris, I will add that to the recommendations. Be aware it is un-enforceable as the bug bounty has to be paid by some entity. Good recommendation though.

Copy link

@Liberty-Chris Liberty-Chris Apr 5, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it make sense to create a multisig arrangement tied to an address where people can donate for this purpose and bounties are paid out by multisig? I would personally donate 10 Ada per epoch to it.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is meant by "unenforceable" and "paid by some entity"?

It feels like the whole bounty payout could be managed on-chain with the payout in ada or another native token (djed perhaps).

I haven't thought through this idea fully yet so be gentle...It feels like the whole flow could (maybe not should?) be managed on-chain.
"Responsible" party submits encrypted vulnerability details inside the metadata of [a] transaction(s). Provides the decryption key to the "relevant parties" as well as payment address for any bounty (payment addr could be included in metadata). Once bug is resolved and paid the encryption key for the vuln data can be released so the public can view details

How much the bounty is worth will need to be determined somehow? Who votes on that? Going to be difficult without the public knowing the vuln details. Feels like we need a separate "treasury pool" specifically for bug bounties that can be sined/paid by a subset of the governance members or a new class of dreps?

### #2: Emergency group to support the disaster recovery plan.
-attacks on persons if known
-we don’t want attackers to know who that group is?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We may want to add some steps/notes about Cardano infrastructure providers? Something like Blockdaemon and/or Fireblocks, and also wallet infrastructure (Daedalus, Ledger, Lace, Nami, etc...).

**Recommendation:**

### #3: Emergency change that needs to be done quickly.
* a nuclear option
* change requires “just do it”
* a security that fix must be implemented but CANNOT be communicated publicly

**Recommendation:**

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • periodic (annual?) key rotation process should be added.

### #4: Operational Security (OPSEC) of the committee.
* physical security
* igital security

**Recommendation:**

### #5: Committee keys lost or stolen or committee keys sold to a bad actor.

**Recommendation:**

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • Lost/Stolen : Member must be able to sign with the same wallet/stake key to authenticate for burn/mint of previous key

  • Sold to bad actor : Loss of collateral / Keys destroyed by committee vote

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the result of lost, stolen, or sold is the same. The keys must be burned and new ones generated. I could be wrong.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yup, same. Lost, stolen, or suspected of compromise

### #6: DRep keys lost or stolen or DRep keys sold to a bad actor.

**Recommendation:**

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • Lost/Stolen : DRep must be able to sign with the same wallet/stake key to authenticate for burn/mint of previous key

  • Sold to bad actor : Loss of collateral / Keys destroyed by committee vote

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the corrective action for lost, stolen, or sold is the same. The keys must be burned and new ones generated. Same as above. I think the difference in how new keys are generated is in the implementation.

### #7: Lack of governance for an extended period of time.
* Uncontrolled hard forks by SPOs
* Risk of no confidence

**Recommendation:**

### #8: Lack of trust in voter tooling.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I remember there was going to be some kind of "certification' process suggested for DApps [on lace?], perhaps we could adopt a similar process for voter tools/wallets.

**Recommendation:**

### #9: Trust in the wallets.
* wallet voting attack vector
* hardware wallet support

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This feels a bit of a generic private key risk? If here are concerns over a wallet's ability to store / access a private key for governance then they likely can't protect any private keys. Maybe isn't required to explicitly called out for this CIP?

**Recommendation:**


### #10: Corruption - in any form, any number of actors.
* Code of Conduct mitigation
* on-chain mitigation


**Recommendation:**

### #11: Collusion - the bad version of collaboration to do something illegal or undesirable.

**Recommendation:**

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this is collusion on the part of any committees members or DReps, it should result in loss of collateral by committee vote. Evidence needs to be presented in a reasonable and articulable way to a body (i.e. Oversight & Accountability Committee), with specific constitutional citations that explains the behavior and/or actions. Voting on such an action must be constitutionally based, not emotionally based.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know if the deposit to be a DRep can be revoked by any other entity. This could work. Will tag @JaredCorduan and @KtorZ to ask if this is technically possible or would require a code change?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

as currently written, no, there is no way to revoke the deposit.

I'm personally not a fan of giving the CC this new power, which could in theory could be abused.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree that the CC should have no powers beyond what is currently described in CIP-1694. I suppose I am envisioning a separate body to provide some oversight with issues like these.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about revoking a key's ability to vote/propose changes? Not sure how feasible it would be to maintain a naughty list.

That being said... what's the difference between collusion to do something bad/undesirable vs something good/desirable? (legal/illegal is globally as subjective as good and bad). This feels like something that must be managed by CIP1964 and the constitution.

### #12: Vote buying - Ada kickbacks.

**Recommendation:**

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As previously suggested in Item 11(Collusion) perhaps an on-chain naughty list that can be integrated into voting tools?.

but also who will police this? we'll need "courts" to determine guilt and folks to prosecute/defend

### #13: IGCO - initial governance coin offering
* offering voters a token of unknown value by a representative to acquire delegators
* including tokens other than Ada

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This feels like a duplicate of #12 (vote buying)

**Recommendation:**

### #14: Powerful Voter Collusion
* demotivates smaller bag holders
* cause a loss of participation
* too many voters abstain
* minority controls the outcome
* can push through any proposal

**Recommendation:**

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Has to be addressed in the constitution. Just like it is in the US constitution: https://constitution.congress.gov/browse/essay/intro-2-2-2/ALDE_00000031/ (I know nothing of this at any kind of depth but the idea is sound)

### #15: Persistence - Removal of proposals by attackers.

Recommendation:

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know I continue to suggest collateral. I'm going to do it here, too. If an individual or group of individuals want to remove a proposal, collateral should be required, just as submitting the proposal should. If the removal request is found by committee to be nefarious and/or without merit, a loss of collateral should occur.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above, I don't know if the deposit by the DRep is considered a collateral, or a deposit that can be only returned to the depositer. For example no other keyholder can revoke a stake pool deposit of 500 Ada. Only the keyholder can do it afaik.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree, collateral should be required.

### #16: Risk of Proposal overload - Risk of DDOS.

**Recommendation:**

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • Require collateral to accompany a proposal (i.e. 50 $Ada or higher)

  • Collateral reimbursement once proposal is approved for a voting round or rejected due to constitutional violation

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above, I think we need to define the difference between a deposit and collateral, and which entity would have the power to slash it. Also might need to consult the game theory experts on slashing mechanisms as a form of punishment.

### #17: Excessive actions.
* Drawing too much money
* Changing parameters that break the chain (block size=0 for example)
* overlapping actions and duplicate actions

**Recommendation:**

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • Intentional attempts to submit parameter change proposals that are deemed detrimental to the health of the network should result in a loss of collateral. As mentioned for line 118, collateral should be required to submit proposals.
  • Overlapping/duplicate actions should be mostly curbed due to collateral requirement. If 1:1 duplicate is successfully proposed, the enforcement of a penalty from collateral as a percentage might be appropriate.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure there is a risk here. We would need all governing bodies to agree that the submitted proposal is 1) valid and 2) everyone votes to pass it.

### #18: Lack of technical understanding by DReps.
Education of correct procedures for DReps

**Recommendation:**

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Curriculum framed from the contents of the constitution and the approved governance CIP (CIP-1694 or otherwise)

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I concur.

### #19: Sybil behavior - one person acting as multiple DReps.

**Recommendation:**

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Loss of collateral and expungement of registration. DReps should also be required to submit collateral with their registration. Not dissimilar from a minimum pledge with a stake pool.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same as above, if there is a difference between collateral and deposit.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the voting power is based on total ADA behind the DRep then what point would there be to create multiple registrations? To bloat the the chain? You could argue the transaction cost to register as a DRep would make this unattractive in the same way spamming the network with tiny transactions prevents DDoS

### #20: Overpower Risk - One DRep or entity with too much power.

**Recommendation:**

### #21: Superstar attack - one “superstar” person that everybody delegates to becomes a dictator with little skin in the game.
(Example: Elon Musk as a DRep)

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Collateral exceptions or tiers - A potential process during DRep registration where an approval/finalization process occurs by committee. A tiered collateral model might be appropriate, levied based on certain criteria (i.e. social influence, history of nefarious behavior)

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Must be solved in the constitution (separation of powers again)

### #22: High chain load impacting governance.

**Recommendation:**

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • Run all governance actions on a sidechain
  • gAda (Governance Ada) at 1:1 Mainnet Ada
  • Snapshot based (every epoch)

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This sounds like a good recommendation like for example Project Catalyst uses a snapshot and the Jormungandr chain.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

iirc a layer2 can share the same security guarantees as a layer1 but a sidechain is just a bridged, separate network -- offloading to layer2 definitely sounds like a good idea

### #23: Unknown external regulation risks - affecting a specific DRep by country or affecting governance as a whole.

**Recommendation:**

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • Form a Regulation Preparedness & Action Committee
  • All issues of importance can be brought to the floor of the committee for evaluation, discussion, recommendation and/or action

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe I need to break this into 2 types of risks.

  1. Indvidual DRep.

  2. Cardano Governance process as a whole.

  3. I was thinking of just making it the responsibility of each DRep to comply with their local laws. Otherwise, legal fees would skyrocket. If a DRep from a particular region runs into legal issues with acting as a DRep they can either fight it or resign.

  4. For Cardano governance process having legal issues, kick that over to the Cardano Foundation to fight.

What do you think?

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I agree. Engaging with the CF for Governance legal challenges is probably the best course of action. At least initially, to get things aligned. It may be worth having a point of contact identified at CF as a resource for individual DReps who face legal challenges. If for nothing but some general guidance. Just having someone to talk to who understands the situation can be a huge help just for the stress factor alone.

### #24: Blocking a Constitutional Committee revote after a vote of “no confidence”.


**Recommendation:**

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • Proposal should be returned to the DReps with documentation that outlines why a vote of "no confidence" was given, giving the DRep body an opportunity to submit reasons and potential solutions to the proposer(s)
  • or a direct revote by the DRep body requiring a strong percentage (3/4?) of votes to the affirmative in order to successfully override the "no confidence" vote.

### #25: Ensuring the legitimacy of side chains involved in governance.

**Recommendation:**

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • gNodes (Governance Nodes) implemented by process of election
  • Disallow DReps and other committee members from operating gNodes
  • Conflicts of interest should be outlined (i.e. spouses of gNode operators cannot be DReps and vice versa)
  • Risk of collateral/pledge loss for circumventing outlined accepted practices
  • Outline requirements for operating a gNode

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

More nodes may not be desirable. Actions should be largely enforceable on-chain where or when possible. Unless the purpose of the nodes is the run the previously mentioned side chain like a jormungandr chain? Maybe leverage or recycle the Project Catalyst infrastructure?

Another option is to firewall out the sidechains from governance. That way people don't spin up a sidechain with a token of unknown value to capture the voting process on the main chain.

I don't know how accurate this link is, but it is an example of governance capture from an incentive external to the chain. Could be just the author's opinion: https://reddit.com/r/tezos/comments/12ahgl1/unaligned_governance_capture_is_it_a_risk_for/

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

need more data/description

## Use Cases
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here you can add examples of user's goals, so for Ada holders it may be "to be able to engage in a safe and secure governance system where...."


Use cases need to be fleshed out. Need more inputs here as each use case would apply to each prolem listed above. Seems like both the CIP and CPS formats is not a good fit for this document.


## Goals

The intent of this CPS is to promote awareness of governance security vulnerabilities and possible mitigation techniques in the Cardano ecosystem. The goal is to provide a comprehensive guide describing all known governance security threats and possible mitigiations techniques, but not to address specific software vulnerabilities. The governance security need is present regardless of the final form of CIP-1694 or any other governance document to minimize malicious activities that may occur within a system of voting, holding elections, and/or on-chain approval of automated actions are present.

## Open Questions

Proposed solutions should strive to address the questions outlined within [Problem](#problem).