AGP-18 Discussion: Security and Decentralized Governance

Hi everyone, I’m Jack from Authio.

Authio has submitted a proposal to engage the Aragon Network as security partner (per the AA wishlist) under AGP-18 which will be on the ballot for Vote #1 on January 24th.

We will be hosting an AMA call on January 19th at 15:00 UTC where ANT voters or anyone else are invited to ask us questions. We will post details to join the call on Twitter and aragon.chat. Hope to see you there!

^UPDATE: Listen to Call Recording >>

The following post is intended to inform the Aragon community about some aspects of the philosophy and approach we think is needed to secure application-based decentralized organizations like the Aragon Network.

Narrowing the Scope of Responsibility

The role of a security auditor is not only to prevent the exploitation of technical vulnerabilities in a given application.

The role of an auditor should also be to ensure a given application behaves in alignment with canonical commitments made to users by the project team regarding intended product behavior.

In other words, does a given application actually do what the people who wrote it say?

Does it work how they say? Will its behavior reasonably satisfy what users have been lead to expect?

If properly signaled, the results of an audit can educate users about the content of smart contracts they may interact with and enable them to screen adverse selection when they otherwise could not.

Or better yet, if users demand misalignments be signaled by auditors, some malicious or incompetent actors will screen themselves out of dapp development all together.

Unfortunately, users have no way to collectively represent themselves to participate in commerce with an auditor.

Users can fall victim to moral hazards of the project team who must engage with the auditors on their behalf.

This means the fee that would ideally be paid directly to the auditor by the users (collectively the highest risk party) is instead controlled by the project team.

Moral hazards can be exacerbated when auditing engagements are done under restrictive non-disclosure agreements.

The combination of misaligned economic incentives and restrictive legal agreements can effectively create a monopoly of information around vulnerable properties of a smart contract by constraining the auditor’s ability to signal information pertinent to users.

Without aligned incentives and proper signaling, the utility audits provide for user screening of adverse selection is negligible.

If users do not have a way to organize and represent themselves in an engagement with an auditor formal mechanisms to protect their interests are severely limited.

Users are the Client

The Aragon community has fostered an ethos and built tools that empower users to manage the Aragon Network as the final decision maker.

That means users have a way to organize and interface directly with security auditors thus disintermediating the project team.

This direct DAO<>Auditor relationship can bring about a shift from potentially conflicted responsibility to unequivocal allegiance to the user.

The users are the auditor’s client, not the project team.

For a security partner to successfully integrate into Aragon’s community, they must be an independent but culturally, politically, and technically knowledgeable partner to ensure new features are functionally sound and aligned with user expectation.

Auditor Independence

The world has seen loose regulation for independent auditors play out before in the financial accounting industry.

Following the Enron debacle, the Sarbanes-Oxley Act instantiated conditions and regulations for financial auditors and companies to prevent conflicts of interest.

Many of the same social forces (information asymmetry, incentives/pressures, opportunities, attitudes/rationalization) that drive malfeasance in financial accounting can exist between project teams and auditors, especially over long term engagements.

The security partner should be cognizant of these forces and participate in methods of self regulation.

Methods to mitigate these forces could include:

  • User delegated expert committee to curate candidates and oversee the work of the auditor
  • Create audit reporting standards and procedure for disclosure of audit findings to project teams and users
  • Define rules for relationships between auditors and project teams to prevent conflicts of interest

These methods could fit into the Aragon Cooperative and AGP-1.

The Importance of Self Regulation

As much as people like to see Aragon as an untouchable super-jurisdiction, virtually all of the world’s population are national citizens, subject to legal jurisdictions that influence their behavior.

This is true for users, project teams, and auditors.

Poorly regulated security activity on the Aragon Network that leads to financial losses for national citizens introduces exposure to legal regulation.

The western allied nations many auditors are based in could, at a minimum, coordinate to regulate smart contract security firms and practices.

Given the track record of national governments’ attempts to regulate technology, the outcome of such an effort could have an indeterminate negative effect on Ethereum’s young security industry.

Aragon will make an example for how decentralized organizations manage security risk and its critical for the future of decentralized application governance that Aragon sets the right example.

Big Picture

Including users in security governance could change the way applications are built as we know it.

Imagine if Facebook users made decisions about Facebook’s security this way:

  • There wouldn’t be incomprehensible “user agreements” to justify unscrupulous new features that jeopardize user security because the users propose and vote on the “user agreements” amongst themselves.
  • Security professionals, who often care most about the users, will have the freedom and mandate to protect users first.

Note:
Strict prefigurative embodiment of values or modes of operation described in this post may be detrimental to a DAO if applied too early. DAOs have barely entered their pioneering era and still require management by founding members or other vital stewards to lay the foundation for long term success.

8 Likes

Thanks for this post Jack! I haven’t seen this level of commitment and alignment from smart contract auditors before, so very excited to welcome you to the Aragon community, and best of luck with the AGP vote!

4 Likes

Hi Aragon! I’m Steve Marx, a security researcher at ConsenSys Diligence, and we’re also interested in becoming the security partner of the Aragon Network. Our proposal came in after the deadline for the AGP Vote #1, but we hope the community will take the time to evaluate multiple candidates for this important role and make a decision in future rounds of voting.

ConsenSys Diligence has performed two audits of the Aragon codebase, and we’ve worked closely with the Aragon One team to ensure that decentralized organizations fulfill their potential by operating as designed. We’re confident that our expertise in analyzing the security of systems like 0x, uPort, and Modular’s Interactive Coin Offering (IICO) implementation will be crucial in keeping the Aragon contract systems secure as new features and improvements are developed.

We’ve recently expanded our security services beyond performing after-the-fact audits. We now perform ongoing security engagements for our clients throughout their software development lifecycle. Instead of finding security issues at the end and rearchitecting systems at the last minute, our goal is to prevent wasted effort on insecure designs so that teams can ship safe code faster.

We hope that the Aragon community will review our proposal and consider delaying a decision on a security partner until multiple proposals can be evaluated for this key role. Thanks!

You can find our (late) proposal here: https://github.com/aragon/AGPs/pull/22/files

2 Likes

I would really like some of Aragon’s Devs who would be interfacing with this team to comment on this proposal, do they support this? are they confident in this teams ability to deliver, are there risks/challenges/trade-offs associated with approving or rejecting this? Does it make sense to wait for Q2 so that both vendors can be included in the same ballot? Does the requested amount seem reasonable for scope?

cc @sohkai @jorge @bingen

4 Likes

As I already told the Authio team privately, I think this proposal has some serious incentive issues:

  • The cost of the baseline audit is quite high and it is a cost that doesn’t make sense for the network to have now (given that the current code already had two very good and expensive audits) unless the rolling security reviews actually go forward. I think the risk of ‘wasting’ $220k is high given the fact that there is no financial incentive for Authio to keep working after doing the initial review, given that the rolling fees are much lower. My proposal was for a sizeable chunk of the initial review cost to be paid at a later time if the rolling audits are actually done.

  • There is no ANT in their compensation package. Even though there are definitely some potential conflict of interest issues, I think the role of the security partner is critical for ANT value (if a major vulnerability were to be discovered the price drop could be significant). To diminish COI issues I proposed them that the ANT they receive is locked for at least 1 year, so there is not incentive to cover up a security issue until they can liquidate their position. They decided not to include ANT at all.

I won’t be voting on this proposal myself, but I definitely think that the incentive structure isn’t optimal, even though I love the team and how they are thinking about the security partner role. The reason I think it made sense to include it in the ballot is because I trust the ability of the team to provide amazing value for the network, although ANT holders should decide whether the compensation package makes sense.

6 Likes

Thank you for your thoughtful response. It’s been a pleasure soliciting and responding to feedback from members of Aragon One, and we look forward to any opportunity we have to work with them in the future. The feedback we’ve received from yourself and others so far has been very helpful and has largely informed the content of our final proposal. As such, I’d like to offer my perspective on the incentive structure:

  • Our consideration of ongoing incentives past the baseline audit was primarily informed by Jorge’s recommendation to limit the duration of the initial engagement to a 3-month trial - after which an agreement with a longer duration could be considered. Although it may have been preferable to propose a model that would more heavily favor rolling audits, we were unable to justify spending under 7 weeks on an initial audit of the Aragon codebase - leaving 5 weeks for rolling audits and ongoing support. We discussed the potential for some amount of payment to be conditional on the relative success of the engagement, but ultimately concluded that this created an inverse incentive - that any amount of subjectivity about whether or not we would receive payment meant that we were incentivized to create favorable reports.

  • Likewise, we felt that accepting compensation in ANT presented potential conflicts of interest that were too significant to ignore. Although I agree that the role of the security partner is important to ANT value, we were not comfortable proposing any amount of stake that would not clearly serve the interests of the Aragon community - and so decided against its inclusion.

I understand Jorge’s feedback so far on the incentive structure, as the structure he recommended is very similar to the incentives in place for other Aragon initiatives. Our choice to forgo the inclusion of these incentives is motivated by a desire to remain in objective alignment with the Aragon community. We feel this alignment and commitment is best illustrated by the relative depth of research we put into this proposal, and hope that ANT holders find it speaks directly to them.

5 Likes

For those who are interested, the AGP-18 community Q&A call recording is available here (timestamps in video description):

Find out:

  • How we got started
  • Some of our auditing “war stories”
  • Why we’re so interested in Aragon
  • Why we didn’t request ANT
  • Our auditing philosophy
  • Why auditing a DAO is different than auditing any other product
  • The importance of community engagement
  • Why we’re excited for the future
2 Likes

Does the Smart Contract system require a significant review now or in the near future? Comparing the commits of our last audit, with the tip of the Apps and OS repos, I get pretty small diffs in the /contracts folders. Though I do see a good number of open PRs.

aragonApps: 7 files changed, 148 insertions(+), 116 deletions(-)
aragonOs: 16 files changed, 127 insertions(+), 58 deletions(-)

1 Like

Some final thoughts for the community: https://medium.com/@wadeAlexC/solving-softwares-oldest-problem-good-tech-is-not-enough-2377cf810419