Comments (4)
what other damage can governance do
As I hinted in my previous post, if you don't trust Yearn's governance, you should not trust Yearn's vaults either. Our vaults are fully managed by Yearn's governance system, you can propose a modification to those processes in the forum.
from yearn-protocol.
@toonsevrin thanks for the question, and your patience while we got back to you. We got a bit side-tracked dealing with last week's incident.
Yearn as a protocol hinges on the critical assumption that governance
(right now set to mu-sig) is honest. A compromised governance
can cause far more damage than setting a vault strategy to something malicious, so this particular concern is seen as a lesser security risk, if that makes sense.
Instead, priority is given on the ability to rapidly update and iterate on live strategies. Both so as not to advertise new investment strategies 7 days in advance, but also in order to rapidly improve our existing ones without interruption or seeing week-long downtimes whenever there's a bug or security vulnerability that needs to be fixed.
Does that answer your question?
from yearn-protocol.
Thank you for the elaborate answer.
You talk about this being a minor risk compared to others. For my interests (depositing EUR in the EURcrv vault), what other damage can governance do then change the strategy? This felt like the only governance risk I am assuming.
I understand how advertising new strategies can be bad. This is a correct concern, a timelock of 12h (a la harvest.finance) should be sufficient so the second concern (week-long downtime) is less problematic.
So essentially the tradeoff is between:
PRO: Advanced users (larger funds) can put event listeners and completely mitigate this black-swan event
CON: Strategy is advertised 12 hours prior to deployment
Is it worth it?
Alternative
I'd like to propose another concept that changes the trade-off. Instead of using time, us advanced users can opt out of strategy upgrades (our funds will just sit idle in a vault as soon as the strategy is decommissioned).
There are many ways of implementing this: The costs are now shifted to development cost (because you need to rewrite the vault code) and maybe extra gas fees. I guess it really comes down to how much % of the assets would care about something like this.
I'd love to hear your thoughts on this.
from yearn-protocol.
Closing due to inactivity
from yearn-protocol.
Related Issues (20)
- Portis option not working on Connect Wallet V2 Yearn. HOT 2
- HouseKeeping add updated crvEur strategy HOT 1
- HouseKeeping add updated crvPBTC strategy HOT 2
- HouseKeeping add crvOBTC updated strategy HOT 1
- HouseKeeping add crvTBTC updated strategy HOT 1
- HouseKeeping add crvsUSD updated strategy HOT 1
- HouseKeeping several Curve Strategies HOT 1
- How can I calculate Busd APY HOT 1
- why safeApprove two times? HOT 6
- my issue HOT 1
- truffle migration 出错 HOT 1
- Deployment document for mainnet (step-by-step) HOT 5
- Bump solc version to 0.5.17
- Update yVoter Strategies to sync with latest deployed code HOT 1
- Remove old interfaces
- Add complete interfaces for everything HOT 1
- YRegistryV2.sol Abstract vault validation and info mapping to external contract. HOT 5
- Add two new fields to strategy contracts to simplify checking TVL and unused strategies HOT 1
- First vault added to release a new apiVersion is always endorsed HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from yearn-protocol.