Should pause actions on a smart contract only require a single signature?

Security
#1

Should pause actions on a smart contract only require a single signature?

Please share reasons, experiences, and intuitions.

One of my teammates proposed that the pause emergency action of a contract should be controlled by a multisig with a threshold of 1 of N. Meaning a single person can pause the protocol, which goes in line with the quick response that an emergency situation requires.

:warning: This is risky because pausing the protocol is not a harmless action. At the very least it could cause annoying denials of service. For smarter adversaries it could be precisely timed to severely harm a specific party.

My intuition goes against this. I think the pause action should be controlled by a 2 of N multisig, with two of the signers always on call to react quickly.

We asked the community and it was not what I expected. But I take it, this is a faster-paced ecosystem, and sometimes even a few extra seconds can be disastrous.

Screenshot from 2021-02-17 21-43-01
Screenshot from 2021-02-17 21-43-01732×181 10.5 KB

Still, I would like to hear more reasons, experiences, and intuitions. Further than a yes or no question, what do you folks think?

We are collecting this information as part of Defender Advisor, a knowledge database with curated information coming from us, our clients and the greater community, to help us build a safer, healthier, more peaceful and enjoyable crypto ecosystem. Sign up and take a look! Then lets make it grow together :slight_smile:

1 Like
Admin Accounts and Multisigs
#2

How about a model, where a combination of the protocol team and some community elected members have the power to pause, thus keeping a balance of decentralization without the compromise of security.

This also includes that these members, let’s say it as the pauserList has also the power to resume things, but that can be at least 2 of N signature.

Thus, if there is trouble, anyone can pause it.

And if one of the members goes rogue, the other elected member can still resume things.

Just my 2 cents :yum:

2 Likes
#3

Welcome to the community :wave: @remedcu
I really like the idea of including community members in admin action multisigs, especially for unpause.

I have come around to the idea that pause actions should require M >= 2.
I am concerned that M = 1 isn’t secure enough, and that an attacker could maliciously use a pause. Even for a brief period until the contract could be unpaused.

If we use M >= 2 then we need owners to be able to approve and execute easily from anywhere, anytime.

1 Like
#4

I’m happy you are convinced @abcoathup! That’s my feeling too. Let’s see if we can get more people supporting the 2-signature-pause :slight_smile:

1 Like
#5

Thanks for your comment @remedcu! <3

We were discussing the composition of multisigs and we commonly saw corporate stakeholders but not community representatives. I think that would be a very nice addition, but I’m thinking that kind of council should be for actions that require deliveration and more than 5 owners in the multisig.

This is an interesting topic to explore. Anybody knows of a multisig out there with community representatives?

1 Like
#6

Hi @elopio,

The Graph Council is a 6 of 10 multisig with five stakeholder groups represented: