|
| 1 | + |
| 2 | +# LivenessModule V2 |
| 3 | + |
| 4 | +## Context and Problem Statement |
| 5 | + |
| 6 | +<!-- The Context and Problem Statement section is one of the most critical parts of the design |
| 7 | +document process. Use this section to clearly highlight the background context for the problem, |
| 8 | +the specific issues being faced by customers, and any constraints on a solution as defined either |
| 9 | +by customers or by technical limitations. Context and Problem Statement is an opportunity to tell |
| 10 | +the story that helps to motivate the rest of the design document. --> |
| 11 | + |
| 12 | +[Safe Accounts](https://safe.global) are configured as a set of owner addresses where some |
| 13 | +threshold of addresses can sign and ultimately execute a transaction through the account. We must |
| 14 | +solve for two safety cases, first that a threshold of signers do not maliciously execute a |
| 15 | +transaction (safety failure) and second that a blocking minority of signers |
| 16 | +(`total - threshold + 1`) don't become unable to sign (liveness failure). Either case can be |
| 17 | +equally catastrophic but we tend to focus on the safety failure case. Here we attempt to produce a |
| 18 | +solution for the liveness failure case that fits within certain constraints. |
| 19 | + |
| 20 | +We define multisig liveness as the ability for the multisig to reach consensus and execute a |
| 21 | +transaction within a bounded amount of time. Note that a multisig does not need to reach consensus |
| 22 | +over every possible transaction (because the members have the ability to reject transactions as |
| 23 | +needed). We instead say that a multisig is live as long as it is able to reach consensus over a |
| 24 | +transaction that states "this multisig is live". |
| 25 | + |
| 26 | +At a high level, a multisig fails to be live if at least a blocking minority of signers prevents |
| 27 | +the multisig from being able to reach consensus. This can happen if signers are honest but unable |
| 28 | +to sign (e.g., keys are lost) or if signers are malicious and refuse to sign. We must address both |
| 29 | +problems if we want to avoid multisig liveness failures. The existing `LivenessGuard` is |
| 30 | +insufficient in this regard because it does not handle malicious signers. |
| 31 | + |
| 32 | +Any system to address the above must also scale sufficiently such that a signer is not |
| 33 | +unnecessarily burdened by the liveness mechanism (this is a product constraint). The |
| 34 | +`LivenessGuard` is also insufficient here because it does not scale across multiple chains and it |
| 35 | +demands signatures on a regular basis (as opposed to only demanding signatures as needed). |
| 36 | + |
| 37 | +## Customer Description |
| 38 | + |
| 39 | +<!-- Provide a brief summary of the customers for this design document. --> |
| 40 | + |
| 41 | +The customers for this design doc are any participants in the multisig accounts that would utilize |
| 42 | +this module, as well as any 3rd parties who rely on the security properties of these accounts. |
| 43 | + |
| 44 | +### Customer Reviewers |
| 45 | + |
| 46 | +<!-- Identify at least one customer who should be involved in the review of this document. --> |
| 47 | + |
| 48 | +- Coinbase (potentially impacted 3rd party) |
| 49 | +- Uniswap (`LivenessModule` user) |
| 50 | +- Security Council (`LivenessModule` user) |
| 51 | +- Optimism Foundation |
| 52 | + |
| 53 | +## Requirements and Constraints |
| 54 | + |
| 55 | +<!-- Identify the solution requirements and any additional design constraints from the Context and |
| 56 | +Problem Statement section in a bulleted list. --> |
| 57 | + |
| 58 | +- Solve both the owner liveness and account liveness problems *securely*. |
| 59 | +- Keep code as minimal as possible to avoid complex logic in Safe modules. |
| 60 | +- Reduce mental overhead for Safe owners and multisig leads. |
| 61 | + |
| 62 | +## Proposed Solution |
| 63 | + |
| 64 | +<!-- Explain the solution that you believe best addresses the problem described above. --> |
| 65 | + |
| 66 | +We propose the introduction of a new module, `LivenessModuleV2` (name is unimportant) to replace |
| 67 | +the existing `LivenessGuard`/`LivenessModule`. `LivenessModuleV2` would employ a challenge/response |
| 68 | +mechanism as an alternative to the existing poke mechanism inside of `LivenessGuard`. |
| 69 | + |
| 70 | +### Singleton |
| 71 | + |
| 72 | +`LivenessModuleV2` is a singleton that exists at a known address on all chains and has no |
| 73 | +constructor parameters. Any Safe on any network can choose to configure the module and then enable |
| 74 | +the module within the Safe. |
| 75 | + |
| 76 | +If possible, this module should be integrated with all other safe modules and guards in a single |
| 77 | +contract that is enabled and configured in all Optimism Safes. |
| 78 | + |
| 79 | +### Configuration |
| 80 | + |
| 81 | +A Safe configures the module by setting a challenge period and a fallback owner. |
| 82 | + |
| 83 | +### Challenge Protocol |
| 84 | + |
| 85 | +The fallback owner may trigger an Account Liveness Challenge by targeting a specific Safe address. |
| 86 | +In response to this challenge, a threshold of owners (same threshold as the Safe itself) must |
| 87 | +execute a regular transaction that confirms the liveness of the safe. If the Safe fails to execute |
| 88 | +this transaction, all owners are removed from the Safe and ownership is transferred to the fallback |
| 89 | +account. If the Safe successfully executes the transaction, the challenge fails and nothing happens. |
| 90 | + |
| 91 | +The Account Liveness Challenge addresses both of the ways in which a Safe can fail to be live. If |
| 92 | +sufficiently many honest users cannot sign that the account cannot reach a threshold, the account |
| 93 | +falls back to the fallback owner. If sufficiently many users are malicious that the account cannot |
| 94 | +reach a threshold, the honest users can refuse to sign and force a fallback. |
| 95 | + |
| 96 | +## Alternatives Considered |
| 97 | + |
| 98 | +<!-- Describe any alternatives that were considered during the development of this design. Explain |
| 99 | +why the alternative designs were ultimately not chosen and where they failed to meet the product |
| 100 | +requirements. --> |
| 101 | + |
| 102 | +### Owner Liveness Challenge |
| 103 | + |
| 104 | +We previously considered a model that would allow users to challenge either the entire Safe (as |
| 105 | +happens in the Account Liveness Challenge) or an individual owner (i.e., an Owner Liveness |
| 106 | +Challenge). An Owner Liveness Challenge would be more similar to the behavior of the existing |
| 107 | +`LivenessModule`, where a user could target a specific owner and require that owner respond or be |
| 108 | +removed from the Safe. |
| 109 | + |
| 110 | +The Owner Liveness Challenge faces a number of problems: |
| 111 | + |
| 112 | +- It creates a second challenge path. |
| 113 | +- It only solves the honest user case, whereas the Account Liveness Challenge solves both cases. |
| 114 | +- It requires that the Safe configure various new parameters like minimum owner count and threshold |
| 115 | + percentage which creates more surface area for potential issues. |
| 116 | + |
| 117 | +Additionally, in most cases, the Owner Liveness Challenge would be unused because the Safe would |
| 118 | +prefer to simply remove an owner that is unable to sign. |
| 119 | + |
| 120 | +## Risks and Uncertainties |
| 121 | + |
| 122 | +<!-- Explain any risks and uncertainties that this design includes. Highlight aspects of the design |
| 123 | +that remain unclear and any potential issues we may face down the line. --> |
| 124 | +### Malicious Fallback |
| 125 | +While the fallback owner is chosen as a trusted actor, it can always happen that they are |
| 126 | +eventually compromised. In that case, they might issue a liveness challenge and if unnoticed |
| 127 | +gain control of the multisig enabling the LivenessModule. |
| 128 | + |
| 129 | +To mitigate this, we will require monitoring that will alert us of unexpected liveness challenges. |
| 130 | + |
| 131 | +### Blocking Minority is Below Quorum |
| 132 | +In order for the module to be effective for the stated scenario, a multisig must require at least a simple majority (defined as `threshold > (total + 1 )/ 2`) as quorum, otherwise malicious actors will reach quorum before reaching a blocking minority. |
| 133 | + |
| 134 | +Instead of implementing a module that would address this scenario, we accept that this module |
| 135 | +is intended for multisigs where the quorum is greater than a simple majority. |
| 136 | + |
| 137 | +### Fallback Ownership |
| 138 | + |
| 139 | +Both the existing `LivenessModule` and this updated iteration rely on fallback ownership. In the |
| 140 | +case that the challenge fails, ownership of the account must be transferred to some fallback |
| 141 | +address. We believe this is acceptable and reasonable. Most multisig accounts can simply name the |
| 142 | +Optimism Foundation multisig as a fallback, and the Optimism Foundation multisig can name the |
| 143 | +Security Council as a fallback. |
| 144 | + |
| 145 | +One open question is what the Security Council should set as a fallback. We'd likely want this to |
| 146 | +be another multisig operated by an independent and well-trusted entity. |
| 147 | + |
| 148 | +### Blunt Instrument |
| 149 | + |
| 150 | +It should be noted that the updated `LivenessModule` is more of a blunt instrument than the |
| 151 | +existing module. We no longer have the ability to remove specific owners, we instead trigger a |
| 152 | +fallback immediately if a threshold cannot be reached. This is less surgical, but we believe it is |
| 153 | +equally effective and ultimately safer/simpler than the existing module because users don't need to |
| 154 | +account for as many parameters. |
0 commit comments