As a developer and product owner,
I’d like to know the risks of using GSN. Specifically, I’m curious:
-
Is GSN codebase is final?
I know, I know, the software code is never final. But from security standpoint, I’d need to know how this risk is mitigated for dapp owners. Can we safely implement GSN into contracts at this moment?
What is the current plan and status for GSN? Is it production ready? Is it still in development?
-
What if something changes? Do all relayers will switch to new code or some relayers will still support the old codebase version?
-
How Dapp owners can be notified about security issues before the public news?
2 Likes
Hi @rstormsf,
It depends on your use case. 
The upgrade mechanism for smart contracts can be controlled by any type of governance, be it a multi-sig wallet, a simple address or a complex DAO.
Example using a multi-sig:
https://docs.openzeppelin.com/sdk/2.5/upgrades-governance
right, I’d have to have a headache of creating DAO, figuring out how to run a DAO, issue some sort of token dao, etc etc
1 Like
A multi-sig might suffice for governance depending on who the signatories are.
It also depends on your use case and how you would handle the need to update functionality if required.
The deployed RelayHub has been through several audits by several different people, so I’d say it’s pretty secure, and unlikely that a problem will be found. There’s plenty of room for improvement, though, (for example in terms of efficiency) so there might be a version 2 of RelayHub at some point. In that scenario, there will probably still be relayers for version 1, as long as there are contracts willing to pay for the relaying service.
We have not yet thought about ways of disclosing security issues.
1 Like