Moving DEF's assets to an on-chain custodial wallet to bolster security

Hello Uni governance,

The successful governance proposal that funded the DeFi Education Fund (DEF) sent $UNI to a multisignature wallet (DEF.eth) that the DEF’s seven steering committee members control. To enhance the UNI community’s control of the assets, the proposal directed the committee to implement Tally’s open-source product Safeguard (then called Failsafe) when it is ready.

Safeguard would give UNI governance the ability to (i) stop any multisig transaction from taking place, and (ii) request funds sitting in the multisig to be sent back to the Community Treasury. These features would not only enhance the governance community’s oversight of the funds but also significantly bolster the security of the multisig against unauthorized transactions and other risks. Safeguard’s code is currently being audited, and Tally is in the process of building an interface for the product.

In the meantime, the committee proposes to transfer the DEF’s assets from its multisig wallet to a dedicated custodial wallet that can be viewed on-chain. Holding the DEF’s assets at a centralized custodian presents less risk than holding them in a seven person multisig without a product like Safeguard implemented. Because the custodial wallet and its transactions will still be viewable on-chain, moving the Fund’s reserve to a centralized custodian is a win-win at this time. We will continue to pre-announce and explain withdrawals from the custodial account. When moving assets to the centralized custodian, the DEF will incur a fee based on the dollar value of the assets, which is expected to be in the range of 25-50 basis points per year.

We seek the community’s advice and thoughts on this proposal and eventually intend to initiate a snapshot vote with more details based on the discussion.

-Miller

Hi Miller, this seems like a reasonable request but I have some questions.

1. What custodian are you guys planning on using?

2. Will the DEF be onboarding directly with the custodian?

3. Who will have the ability to move coins out of the account?

4. What will the process be (roughly) for moving coins out of the account?

5. What is something that Gnosis and other multisig wallets can learn from DEF’s multisig experience to improve? What was the pain point that drove you guys away from the multisig?

Hi Getty, thanks for the questions.

1. What custodian are you guys planning on using?

We haven’t decided which custodian we would use, but I think the criteria that is most important for DEF will be security, transparency, and cost. Transparency—how the custodial wallet would be visible on chain—is probably the factor with the most variance across custodians. For example, some use omnibus wallets for multiple clients’ assets, some create a new wallet every time a transaction is completed, etc. A dedicated wallet would be an absolute must in order for the DEF’s funds to be viewable/verifiable on chain, and ideally the wallet wouldn’t change every time there was a transaction in and out of the wallet because that would make viewing/verifying the assets a hassle for the community. How the wallet could be used (see point 3) would also be important in order to vindicate the majority requirement of the current multisig.

2. Will the DEF be onboarding directly with the custodian?

Yes. The DEF would own the account in which the DEF’s assets would be stored.

3. Who will have the ability to move coins out of the account?

We would only use a custodian that wouldn’t move any of the assets unless four of the seven committee members validate a transaction. I don’t really think that this requirement would limit the custodian choices because all that I’ve looked into include the ability to restrict the “powers” individuals could exercise over the account/assets. For example, only the seven committee members would have the power to “validate” an outgoing transaction, while a non-committee member could hypothetically have the ability to initiate a transaction that would have to be validated by four of the seven committee members in order to go through.

4. What will the process be (roughly) for moving coins out of the account?

Custodians use a variety of security practices/features, so the specific process would vary depending on the custodian. For example, some use passwords, yubikeys, and video calls to authenticate that individuals attempting to access the account are 1) who they say they are and 2) are “validating” transactions freely and not under duress, etc. Other custodians scrap passwords all together and use biometrics like face scan and voice print in addition to videos to achieve the same objectives. So while the specific process will vary, I think from a process perspective the critical requirement is that four of the seven committee members would have to validate any outgoing transaction before it were completed.

5. What is something that Gnosis and other multisig wallets can learn from DEF’s multisig experience to improve? What was the pain point that drove you guys away from the multisig?

I think in the context of organizations like the DEF, the implementation of something like safeguard or other features that would bolster the security of the assets is the “pain point” if that makes sense. For example, a process to verify that a transaction is not being “signed” under duress (or some “failsafe” feature if one is like the one offered by Safeguard) by a committee member would make a multisig more secure. I also think features that could mitigate the consequences of “black swan” events could help. For example, a catastrophic earthquake in San Francisco or a massive tsunami in Miami might render a lot of crypto multisigs lost, which might be worth preparing for in some way.

-Miller

Hello, I’m a bit confused as to why you’d suggest moving the assets to a custodial wallet when the end-game is to have them back in a multisig secured with SafeGuard. Are you saying that between now and SafeGuard being released, that the existing multisig (which has been in use for months) introduces too much risk? Can you explain what led you to this conclusion and whether there have been any security issues that contributed to it?

I’d be very hesitant to support a move to a custodial wallet with a vague promise that one day, maybe we’ll move back to a multisig if SafeGuard ever sees the light of day. It would be far too easy to stay in custodial wallet permanently if Tally’s project doesn’t go as planned.

Hi Chris,

Thanks for jumping in. In my mind, the guiding principle on the DEF’s custody of its assets should be to hold the assets where ever they are going to be the safest while retaining the same level of transparency offered by a dedicated on-chain wallet like the existing multisig. While there have been no security issues with the multisig to date, I think that a custodial wallet is the safest option currently available for the reasons laid out in the original post and my response to Getty. I agree with your second point, which is why I think the ultimate guiding principle should always be to custody the DEF’s assets wherever the assets are going to be the most secure while retaining that same level of transparency.

Miller

This is something that should have been decided from the initial proposal. Tens of millions of dollars should not be shuffled around like this based on the whims of one person (no disrespect intended). The initial proposal could have easily laid out that funds would be held by a custodian, but it specifically said that funds would remain in a multisig. For that reason, they should not be moved from the multisig unless something has substantially changed with regard to the security of the multisig or the keyholders.

Hi Chris,

I 100% agree with you that this is something that shouldn’t be decided based on the whims of one person, which is why we’re discussing this issue in a governance proposal forum.

I think it’s important to reflect new information and experience in how the DEF operates. Without doubt, the governance proposal envisioned that a multisig with a product like Safeguard implemented would the more efficient and secure option. Based on new information and experience—like the status of safeguard and using a multisig over the last few months—and in parallel, learning about the level of security offered by a custodial wallet, I think that the latter option better fits the DEF’s needs going forward.

Miller

Speaking for Avantgarde Finance, I agree with Chris here. This seems like an arbitrary change in custody protocol without any well-defined upside. What I also find confusing, and frankly a bit worrying, is the implication that the services of a centralized entity are required for the management of this organisation. In my opinion, one of the core messages of the DEF should be how important and powerful self-custody is. The narrative implications of this proposal’s successful execution would undermine that message. Whilst Safeguard would certainly be a really nice addition to the mix, I don’t think we need to go so far as to say that DeFi doesn’t work without it.

Could you please any evidence for this statement, I’ve just checked gnosis safe, it manages over 85 billion dollars, but I do agree its not ideal metric of security, yet a very significant one imo.

Not sure I get the reasoning to move to a centralised solution given that:

1. It will incur additional ~$100,000 annual costs
2. Its centralised (and DEF is DEF not CEF…)
3. Your will no longer own funds (no privKey not ur funds)
4. Centralised is less secure in the events of catastrophic events you’ve outlined
5. It contradicts core values of decentralised finance

But if 4 out 7 owners sign the move, I’m ok since its not decision for me to make. Nor will I be disappointed, considering that DEF have already used centralised solution to trade half of granted UNI for USDC (not DAI?) instead of using Uniswap Protocol pools for some questionable reasons at the expense of LPs and UNI hodlers.

Totally agree here with @eek637, it contradicts ethereum core capability of people controlling their data

On a slight side note both tsunami in Miami and earthquake in SF are “white swan” events if we take that guys terminology, but thats probs due to confusion caused by him dedicating an entire book to explain single concept instead of simple medium post.

Apologies for being maybe too blunt, but it’s just I think for organisations that represent/educate/defend our values it would be a requirement to also share them. I appreciate you coming here and see this proposal discussion as genial attempt to gather community feedback, but at this point the reasons that have been outlined in post and answers provided make this temporary moves look unjustified and even harmful, but I might not have all the information, nor knowledge in fields touched here.

P.S I acknowledge your work and am exited where you guys are going with publishing budget estimates and grant programs itself, would love to help to bring awareness to what you guys are doing, feel free whenever you have any updates/messages/etc to drop them to uniletters box

Can we consider this issue resolved? Or is there still a plan to move forward?

Hi all,

Thanks for your thoughts and thanks for your patience. Chris, re your question, it’s not resolved yet because the community hasn’t voted on the question. I’ll put together a snap shot and post the link to this thread and on twitter.

I agree that keeping the DEF’s assets in a secure multisig would be the most ideal outcome, but I don’t think that’s the case right now (which I appreciate is debatable and a judgement call). On net, Im not really worried that moving to a custodial wallet would undermine the DEF’s goals and mission. The gun lobby is extraordinarily effective, yet I’ve never seen an NRA lobbyist carrying a rifle around DC (and if a policymaker chirps the DEF for using a custodial wallet instead of a multisig wallet, that’ll be a highly educated policymaker).

Appreciate everyone’s patience and will be back with the link as soon as it’s set up.

Miller

You have not addressed the issues at hand.

This proposal was approved based on the fact that funds would be held in a multisig.

You haven’t given one substantial reason for this move other than alluding to some vague security concerns.

You need to be more specific about why you want to move the funds from the multisig to a centralized custodian.

Was there some sort of security issue that you’re not revealing?

Also… you mentioned on Twitter that you’re taking 1k UNI from the budget to use to launch a governance proposal. The DEF proposal never mentioned anything about DEF using the UNI to vote. It was strictly for funding lobbying efforts. I call on you now to stop using this UNI for any sort of protocol governance influence.

Hi Chris,

DEF is not going to vote on the temperature check. Like the tweet says, DEF is going to initiate a temperature check so that the community can give their input on this question.

Re your question:

Thanks again,

Miller

If Miller wants to initiate a temperature check, let him. As long as the DEF doesnt push it through unilaterally, its fair game.

Afterall, Miller wants to hear your voice with your vote on the temperature check. Why be mad about it? Its a good thing.

Hello all,

Here is the link to the temp check Snapshot. Also, thank you for participating in this thread discussing this idea.

Miller

Are you familiar with how DEF was created? It was created via a unilateral decision by Uniswap, a16z and their delegates. If they want to push a vote through, they’ll push it through. Once these issues go to an actual vote, it’s often too late.

I am very familiar with how the DEF was created. The truth is: nobody in here is able to stop them from passing it on their own if they want to. This way you can tell whether its yet another charade or whether Miller means it sincerely.

Lol @ the NRA reference but I think that’s a false equivalence. You can imagine a policymaker asking an NRA lobbyist why they don’t use the tools they’re advocating for and the lobbyist responding, “because it’s my job to advocate for responsible gun owners and responsible gun owners don’t threaten violence to get their way”. You can then imagine that same (highly educated) policymaker asking you why you don’t use the tools you’re advocating for and from what I’ve seen in this thread, your only answer would be “because they’re not safe enough”.

Hey eek, glad you like it lol. Using your example, I think the policymaker would then respond, “so anyone carrying a gun is threatening violence?”

Turning to self-custody, I don’t think the answer is “they’re not safe enough.” I think the answer is that individuals’ right to self-custody is essential to protecting citizens’ liberties and foundational to the future of free societies in the digital age. While protecting the right to self-custody is absolutely critical, custodians can also be useful for certain purposes, especially for individuals who are responsible for overseeing an organization’s assets as opposed to their own assets.

Miller

ha well this probably isn’t the place to debate a now fully-stretched metaphor, but yea i think that in the case where someone’s being paid to advocate for a cause, carrying a weapon while doing so probably at least implies violence.

ANYWAY so as not to get derailed, I still think the optics of this move are not great. In the seemingly inevitable circumstance where it’s passed, it would be nice to have some sort of guidelines for what kind of tooling you need to move back to a decentralized option.