Should pause actions on a smart contract only require a single signature?

Security
#1

Should pause actions on a smart contract only require a single signature?

Please share reasons, experiences, and intuitions.

One of my teammates proposed that the pause emergency action of a contract should be controlled by a multisig with a threshold of 1 of N. Meaning a single person can pause the protocol, which goes in line with the quick response that an emergency situation requires.

:warning: This is risky because pausing the protocol is not a harmless action. At the very least it could cause annoying denials of service. For smarter adversaries it could be precisely timed to severely harm a specific party.

My intuition goes against this. I think the pause action should be controlled by a 2 of N multisig, with two of the signers always on call to react quickly.

We asked the community and it was not what I expected. But I take it, this is a faster-paced ecosystem, and sometimes even a few extra seconds can be disastrous.

Screenshot from 2021-02-17 21-43-01
Screenshot from 2021-02-17 21-43-01732×181 10.5 KB

Still, I would like to hear more reasons, experiences, and intuitions. Further than a yes or no question, what do you folks think?

We are collecting this information as part of Defender Advisor, a knowledge database with curated information coming from us, our clients and the greater community, to help us build a safer, healthier, more peaceful and enjoyable crypto ecosystem. Sign up and take a look! Then lets make it grow together :slight_smile:

1 Like
#2

How about a model, where a combination of the protocol team and some community elected members have the power to pause, thus keeping a balance of decentralization without the compromise of security.

This also includes that these members, let’s say it as the pauserList has also the power to resume things, but that can be at least 2 of N signature.

Thus, if there is trouble, anyone can pause it.

And if one of the members goes rogue, the other elected member can still resume things.

Just my 2 cents :yum:

2 Likes
#3

Welcome to the community :wave: @remedcu
I really like the idea of including community members in admin action multisigs, especially for unpause.

I have come around to the idea that pause actions should require M >= 2.
I am concerned that M = 1 isn’t secure enough, and that an attacker could maliciously use a pause. Even for a brief period until the contract could be unpaused.

If we use M >= 2 then we need owners to be able to approve and execute easily from anywhere, anytime.