###### tags:`Research` # A new defence against governance attacks In this document, we propose a modification to the Emergency Shutdown Module and the process of triggering it. ## How does the ESM work? The Emergency Shutdown Module exists to allow a minority of MKR holders to shut down the protocol by depositing their MKR into the ESM. MKR deposited into the ESM is immediately burned. If the amount of MKR deposited into the ESM exceeds the ESM Threshold, emergency shutdown is activated. Note that delegates cannot deposit MKR delegated to them into the ESM - it must be done by the MKR token owners. More details about the emergency shutdown process can be found [here](https://docs.makerdao.com/smart-contract-modules/shutdown). ## Mode of attack considered The attack considered here is a governance attack where a malicious entity (including possible malicious actors within the Maker community) has access to enough MKR to pass one or more executive spells. This could include executives that transfer collateral backing Dai to the attacker's address. Such an attack can even be performed trustlessly through a contract such as [TakerDAO](https://twitter.com/ameensol/status/1229848488621428736). The primary defence against such an attack would be for honest MKR holders to cancel the malicious executives passed within the [GSM Pause Delay](https://manual.makerdao.com/parameter-index/core/param-gsm-pause-delay) period. However, by assumption, the attacker may still be able to pass their malicious spells since they have enough MKR. The next and final defence in this scenario is the ESM-based defence, where a minority of MKR holders trigger the Emergency Shutdown Module. If this happens within the GSM Pause Delay period, no collateral is stolen. The protocol could theoretically be relaunched and MKR burned via the triggering of the ESM could be returned. Since prices of MKR are likely to be lower after the shutdown, this is an economic deterrent to an attacker that attempts such an attack. It may or may not be possible to relaunch the protocol and not airdrop new MKR to the attacker. ## Issues with the ESM-based defence Given the chaotic environment during such an attack with possible trusted entities turning malicious (e.g. GovAlpha), it may be unreasonable to expect honest MKR holders to be able to communicate and coordinate quickly enough to defend the protocol. In particular, it may not even be clear if the protocol is genuinely under attack or if there is simply misinformation. Thus, the following issues are likely with the current ESM-based defence 1. Honest MKR holders only have the GSM Pause Delay period (48 hours at the time of writing) to trigger the ESM, a decision which involves burning their MKR. This is difficult to commit to if information about the attack is unclear. 2. It is well known that large MKR holders use custodial solutions that would make it impossible to move their MKR to trigger the ESM or try and regain the hat within the GSM Pause Delay period. 3. The act of shutting down the protocol is an extreme step that inconveniences Dai holders and the wider crypto ecosystem. The only immediate requirement is to block malicious executives while regaining control of governance, not to shut down the entire protocol. ## Solution characteristics The ideal defence in the face of such an attack should be to prevent the malicious executives from passing so MKR holders can buy time to understand the situation, try to recapture the hat and decide whether it is necessary to trigger the ESM. The key is to allow a minority of MKR holders to be able to do this without a severe financial penalty but also ensure that this does not become a tactic to hamper regular governance actions. Minority MKR holders who disagree with a valid governance decision should not be able to regularly use this as a stall tactic. ## Proposed Solution Consider a contract that we call dss-defender. This has three parameters - the `threshold amount`, the `cancel-spells duration`, and the `lockup duration`. MKR may be deposited into the dss-defender by MKR holders only. Delegates cannot deposit MKR into dss-defender. Honest MKR holders should only deposit MKR into this if they suspect malicious executives have been passed and that the hat cannot be recaptured from the attacker. Their MKR will be locked into this contract for the `lockup duration` from the moment it is deposited except for two cases, namely: 1. The majority of MKR holders (including depositors) vote for an early release. 2. The depositors wish to move the locked up MKR into the ESM. If there is more MKR than the `threshold amount` deposited into dss-defender, a permissionless parameterized `cancel function` on the contract is enabled. The `cancel function` allows anyone to cancel any executive waiting during the GSM Pause Delay. The `cancel function` would be available for the `cancel-spells duration` from the moment the `threshold amount` is exceeded. This mechanism can only be triggered once. To use this `cancel function` after the `cancel-spells duration` is over, MKR holders must reinitialize dss-defender through an executive vote. In addition to activating the `cancel function`, dss-defender moves all MKR deposited into it to support an executive that enables an early release of locked up MKR in dss-defender and reinitialize dss-defender. If a genuine attack was thwarted, then all remaining honest MKR holders should take control of the hat by backing this executive, which will pass after the `cancel-spells period`. This restores the system to the pre-attack state and returns deposited MKR. Regardless of other actions, after the `lockup duration` is over, MKR in dss-defender can be withdrawn by depositors. At any point, including during the `lockup duration`, MKR tokens in dss-defender can be moved to the ESM by depositors. ## Benefits Under normal circumstances, there should be little to no MKR deposited into dss-defender. The ability to use this as a stall tactic against normal governance processes is mitigated by the `lockup duration` and the fact that governance is delayed only for the `cancel-spells duration`. During a governance attack, if MKR in dss-defender exceeds the `threshold amount`, MKR holders get more time to organize and possibly trigger the ESM. Since there is no penalty besides losing access to their MKR for the `lockup duration`, MKR holders may be more willing to take the first step to defend the protocol. In the event that the hat cannot be taken back after the `cancel-spells duration`, it becomes clear to all honest MKR holders that the ESM must be activated. ## Downsides A malicious minority could block a governance patch fixing some vulnerability using dss-defender to buy themselves more time. It is unclear how high this risk is. Delegates are unable to use dss-defender. One may wonder if there is a way to allow delegates to interact with dss-defender albeit with different penalties instead of regular holders. Unfortunately, the `lockup duration` seems incompatible with the principle of liquid delegation. ## Example Scenarios This section has some examples explaining how various scenarios may play out. This is meant to be illustrative, not exhaustive. We choose some arbitrary parameters here. The `threshold amount` is set to 50,000 MKR, the `cancel-spells duration` is 1 week and the `lockup duration` is 1 month. The final choice of these parameters should be made after more careful analysis. #### Genuine attack A malicious entity gains control of the hat and starts passing executives to steal collateral. It becomes clear within 24 hours of the 48 hour GSM Pause Delay period that the hat cannot be regained and the malicious executives cannot be cancelled. Large MKR holders such as VCs need more time to move their MKR from custodial solutions to help regain the hat. 1. MKR holders start depositing their MKR into dss-defender until it hits 50,000 MKR. 2. The cancellation of all executives begins and the protocol is locked into its current state for 1 week. 3. Large MKR holders are now able to mobilize their MKR to regain control of the hat. They join forces with the MKR already in dss-defender by backing the executive that resets the protocol to the pre-attack state and returns locked up MKR to the owners early. 4. This executive is ready but can only be passed after dss-defender stops cancelling spells. All other malicious executives that have been passed and are in the GSM Pause Delay period get cancelled. 5. After 1 week, the protocol returns to its pre-attack state. #### Genuine attack - alternative ending This is the same as the previous scenario except that honest MKR holders do not succeed in retaking the hat. A malicious entity gains control of the hat and starts passing executives to steal collateral. It becomes clear within 24 hours of the 48 hour GSM Pause Delay period that the hat cannot be regained and the malicious executives cannot be cancelled. Large MKR holders such as VCs cannot move their MKR from custodial solutions to help regain the hat within the `cancel-spells duration`. 1. MKR holders start depositing their MKR into dss-defender until it hits 50,000 MKR. 2. The cancellation of all executives begins and the protocol is locked into its current state for 1 week. 3. After the 1 week period is over, the attacker still holds the hat and starts passing malicious executives again. This is subject to the GSM Pause Delay that starts at the moment the 1 week period is over. 4. All honest MKR holders, including those who deposited their MKR into dss-defender move their MKR to the ESM. 5. The ESM threshold is reached and the protocol is shut down without loss of collateral. #### False alarm A minority of MKR holders believe a recently passed executive is an attack on Maker. They collectively deposit enough MKR to reach the dss-defender threshold. 1. dss-defender is now able to cancel spells for 1 week. 2. During this 1 week period, the remaining MKR holders examine the situation more closely and conclude that the executive is not malicious. 3. The executive is passed again after the 1 week period ends and is now in the GSM Pause Delay period. 4. Remaining MKR holders conclude that although the executive was not malicious, the depositors acted in good faith and return their MKR early via executive vote. #### Spam attack A minority of MKR holders use dss-defender to delay an urgent executive. The events are identical to the false alarm scenario except for Step 4. 1. dss-defender is now able to cancel spells for 1 week. 2. During this 1 week period, the remaining MKR holders examine the situation more closely and conclude that the executive is not malicious. 3. The executive is passed again after the 1 week period ends and is now in the GSM Pause Delay period. 4. Remaining MKR holders conclude that the depositors tried to stall governance using dss-defender. The depositors must wait 1 month before they can participate in governance again. The scenarios above are some of the most likely possibilities to consider when implementing dss-defender. The `threshold amount`, `cancel-spells duration` and `lockup duration` should be chosen with these possibilities in mind. ## Acknowledgements Many thanks to LongForWisdom, Payton Rose, Patrick J., Joshua Pritkin, Tim Schuppener and the Protocol Engineering team for valuable comments, feedback and ideas.