The Tally Newsletter, Issue 53

November 29, 2021

Nov 29, 2021

Welcome back for issue 53 of the Tally Newsletter, a publication focused on all things decentralized governance. We’ll keep you updated on key proposals, procedural changes, newly launched voting systems, shifting power dynamics, and anything else you need to know to be an informed citizen.

In this issue, we catch up on the latest news from this past Thanksgiving holiday week:

Celo Loses Control over Optics Bridge
Compound Narrowly Rejects Long Term Auditing Contract
ConstitutionDAO Soars Despite Auction Loss

Plus quick ecosystem updates!

Optics Bridge Faces Hostile Takeover

TL;DR: cLabs, the development company behind Celo, temporarily lost control of the Optics bridge contract to undisclosed parties.

Over the past week, an issue with Celo’s Optics bridge has kept users on edge. While no funds were lost, this incident presents a cautionary example of inadequate bridge governance that applies to both L1 and L2 platforms. Here’s what we know so far.

cLabs @cLabs

We recently discovered an issue with Optics beta and our team is actively working to resolve it. Neither the Celo network or the Celo Reserve are impacted. Please find the full statement here:

forum.celo.orgOptics Recovery ModeI just posted this announcement in the Optics Discord server, and cross-posting here: We recently discovered an issue with Optics beta and our team is actively working to resolve it. Here is what we know: Despite no known vulnerability, and without alerting the community, someone unilaterally activ…

At the beginning of last week, cLabs released an announcement that “recovery mode” had been activated inadvertently. While this seems innocuous enough, this mechanism gives control over bridge upgrades to a recovery manager, potentially allowing for user funds to be stolen in a worst case scenario. Details from the Celo forum are shared below.

Source: Celo Forum

This exposed several deficiencies in the way the bridge was initially set up, including lack of clarity on the owner of the recovery manager address and incorrect timelock configuration. All of this left the bridge vulnerable to sudden compromise.

cLabs’ response was somewhat baffling, as despite losing control of bridge upgrades they claimed that funds were not at immediate risk. This indicates they may have info about the recovery manager owner that they haven’t shared yet. But on the other hand, James Prestwich denied cLabs’ initial suggestions that he was responsible for the takeover.

James Prestwich @_prestwich

I have never been a keyholder on Optics recovery mode I am disappointed that cLabs and Celo have chosen to bring their bullying into public spaces, and that they chose to lie about me to attack my reputation On the advice of my lawyer, I have nothing else to say right now

With community confidence in the bridge declining, the cLabs team quickly changed course and recommended a redeployment and migration of funds to a new, properly configured Optics bridge instance. But in a strange twist of fate, Optics was recently moved out of recovery mode with ownership transferred to the multisig set up to manage the new Optics v2 deployment. An initial report claims the same reassignments have taken place for the Celo and Polygon deployments, meaning that funds are now finally safe after a week at risk.

This situation has resolved favorably, but there are some clear takeaways for users and bridge platforms. Checking bridge configuration before public launch could have identified Optics bridge’s admin ownership and timelock deficiencies. And most cross chain and L1>L2 bridges are essentially governed by multisigs, so users should expect better risk management and disclosures from development teams, contrasting with the several weeks delay between cLab’s discovery of the Optics issue and public disclosure.

Compound Narrowly Rejects Auditing Contract

TL;DR: OpenZeppelin and Trail of Bits went toe to toe over a lucrative Compound auditing contract, with ToB’s last minute engagement leading to a longer contract review period.

While there has been a pickup in DAO merger activity recently, we’re now beginning to see the first signs of an emerging DAO contracting industry. Engaging with service providers allows decentralized orgs to get the benefits of deep experience and centralized management, but also poses challenges in contract negotiation as we’ve seen this past week in the Compound community.

Larry Sukernik of Reverie recently helped guide a proposal for OpenZeppelin to provide continuous auditing services to the Compound community. With the recent loss of treasury funds from a bug in Compound proposal 62, technical audits have become a critical need for the community.

OZ was the first firm to propose services to Compound in proposal 70, but competitor Trail of Bits joined to compete for the contract with a last minute outreach on Twitter and the Comp.xyz discussion forum.

Scott Sunarto 🐉 @smsunarto

You might have came across OZ's proposal for $4m (+ tentative $4m performance fee) for ongoing audit of Compound. I'm excited for a transparent and competitive B2DAO procurement; I'm glad to announce that @trailofbits is working on a proposal too! compound.finance/governance/pro… [1/4]

compound.financeCompoundCompound is an algorithmic, autonomous interest rate protocol built for developers, to unlock a universe of open financial applications.

ToB’s Scott Sunarto raised some important points that draw from experience in government contracting: healthy procurement mechanisms should be competitive and as open as possible. This helps contain costs and maintain quality for DAO clients, while also reducing risk of self dealing from those arranging bids.

Source: Compound Dashboard

OpenZeppelin’s initial bid for the contract was rejected to allow Trail of Bits more time to bring forward a full offer for community review. So over the coming weeks we should witness one of the first competitive contracting processes in the DAO space.

ConstitutionDAO Faces Wild Week After Losing Auction

TL;DR: The project struggled with messaging around refunds, and was then overtaken by huge hype as the token traded above redemption value.

ContitutionDAO formed in a matter of days to place a group bid on one of the original copies of the US constitution. They ended up getting outbid by Ken Griffin, owner of market making firm Citadel Securities who gained notoriety during the meme stock trading frenzy earlier this year for forcing Robinhood to halt certain retail trading. But despite this setback, ConstitutionDAO demonstrated the power of a new type of decentralized organization - the acquisition DAO.

Acquisition DAOs allow large groups of users to pool their resources for greater financial impact. This concept was demonstrated by PartyDAO’s NFT bid platform, allowing retail users to purchase several high end cryptopunks. ConstitutionDAO took this a step further by targeting a real world object with a huge expected valuation.

While the DAO was able to raise over $40 million in a matter of days, the way the DAO and off chain process were linked was somewhat tenuous. Contributing funds granted governance rights over how the constitution would be used and displayed, but not ownership (this was meant to avoid securities regulations about fundraising).

rng.eth @galaxyRTK

The @stratechery episode on @ConstitutionDAO hit on an issue I have with all party DAOs issuing governance tokens raising money “as if” they were fractional ownership but by their own terms aren’t - not clear how/when/whether proceeds will be distributed, if they even can be

This part of the DAO mechanism was never tested because they lost the bid. Acquisition DAOs may face similar difficulties in the future because their maximum spending capacity is known beforehand through on-chain records. ConstitutionDAO also struggled to organize contributor refunds, with a lack of pre-existing operational examples leading to mixed messaging.

ConstitutionDAO (📜, 📜) @ConstitutionDAO

Of course, we know and respect some of y'all were here just for the Constitution. We'll take a snapshot of everyone's $PEOPLE balance (claimed/unclaimed) in ~24h (block 13656500). Over the next week, we'll set up a website where you can get your ETH back at the original rate.

ConstitutionDAO (📜, 📜) @ConstitutionDAO

Hi everyone! We know you've been awaiting further news about the refund, and we're ready to go live with it now 😌 We plan to issue refunds through the same Juicebox mechanism by which donations were originally collected.

But in the end, the auction loss to the villain from this year’s meme stock story may have raised the project’s profile. ConstitutionDAO’s PEOPLE governance token inexplicably began trading at a premium of 20 times or more above the ETH redemption value, and was listed on several centralized exchanges.

Given the huge attention this project has gained in the past two weeks, additional acquisition DAO’s targeting real world purchases seem inevitable. But the governance and on/off-chain coordination challenges remain untested, at least until one of these organizations succeeds in acquiring their target asset.