AGP-18 Discussion: Security and Decentralized Governance

agp

#1

Hi everyone, I’m Jack from Authio.

Authio has submitted a proposal to engage the Aragon Network as security partner (per the AA wishlist) under AGP-18 which will be on the ballot for Vote #1 on January 24th.

We will be hosting an AMA call on January 19th at 15:00 UTC where ANT voters or anyone else are invited to ask us questions. We will post details to join the call on Twitter and aragon.chat. Hope to see you there!

The following post is intended to inform the Aragon community about some aspects of the philosophy and approach we think is needed to secure application-based decentralized organizations like the Aragon Network.

Narrowing the Scope of Responsibility

The role of a security auditor is not only to prevent the exploitation of technical vulnerabilities in a given application.

The role of an auditor should also be to ensure a given application behaves in alignment with canonical commitments made to users by the project team regarding intended product behavior.

In other words, does a given application actually do what the people who wrote it say?

Does it work how they say? Will its behavior reasonably satisfy what users have been lead to expect?

If properly signaled, the results of an audit can educate users about the content of smart contracts they may interact with and enable them to screen adverse selection when they otherwise could not.

Or better yet, if users demand misalignments be signaled by auditors, some malicious or incompetent actors will screen themselves out of dapp development all together.

Unfortunately, users have no way to collectively represent themselves to participate in commerce with an auditor.

Users can fall victim to moral hazards of the project team who must engage with the auditors on their behalf.

This means the fee that would ideally be paid directly to the auditor by the users (collectively the highest risk party) is instead controlled by the project team.

Moral hazards can be exacerbated when auditing engagements are done under restrictive non-disclosure agreements.

The combination of misaligned economic incentives and restrictive legal agreements can effectively create a monopoly of information around vulnerable properties of a smart contract by constraining the auditor’s ability to signal information pertinent to users.

Without aligned incentives and proper signaling, the utility audits provide for user screening of adverse selection is negligible.

If users do not have a way to organize and represent themselves in an engagement with an auditor formal mechanisms to protect their interests are severely limited.

Users are the Client

The Aragon community has fostered an ethos and built tools that empower users to manage the Aragon Network as the final decision maker.

That means users have a way to organize and interface directly with security auditors thus disintermediating the project team.

This direct DAO<>Auditor relationship can bring about a shift from potentially conflicted responsibility to unequivocal allegiance to the user.

The users are the auditor’s client, not the project team.

For a security partner to successfully integrate into Aragon’s community, they must be an independent but culturally, politically, and technically knowledgeable partner to ensure new features are functionally sound and aligned with user expectation.

Auditor Independence

The world has seen loose regulation for independent auditors play out before in the financial accounting industry.

Following the Enron debacle, the Sarbanes-Oxley Act instantiated conditions and regulations for financial auditors and companies to prevent conflicts of interest.

Many of the same social forces (information asymmetry, incentives/pressures, opportunities, attitudes/rationalization) that drive malfeasance in financial accounting can exist between project teams and auditors, especially over long term engagements.

The security partner should be cognizant of these forces and participate in methods of self regulation.

Methods to mitigate these forces could include:

  • User delegated expert committee to curate candidates and oversee the work of the auditor
  • Create audit reporting standards and procedure for disclosure of audit findings to project teams and users
  • Define rules for relationships between auditors and project teams to prevent conflicts of interest

These methods could fit into the Aragon Cooperative and AGP-1.

The Importance of Self Regulation

As much as people like to see Aragon as an untouchable super-jurisdiction, virtually all of the world’s population are national citizens, subject to legal jurisdictions that influence their behavior.

This is true for users, project teams, and auditors.

Poorly regulated security activity on the Aragon Network that leads to financial losses for national citizens introduces exposure to legal regulation.

The western allied nations many auditors are based in could, at a minimum, coordinate to regulate smart contract security firms and practices.

Given the track record of national governments’ attempts to regulate technology, the outcome of such an effort could have an indeterminate negative effect on Ethereum’s young security industry.

Aragon will make an example for how decentralized organizations manage security risk and its critical for the future of decentralized application governance that Aragon sets the right example.

Big Picture

Including users in security governance could change the way applications are built as we know it.

Imagine if Facebook users made decisions about Facebook’s security this way:

  • There wouldn’t be incomprehensible “user agreements” to justify unscrupulous new features that jeopardize user security because the users propose and vote on the “user agreements” amongst themselves.
  • Security professionals, who often care most about the users, will have the freedom and mandate to protect users first.

Note:
Strict prefigurative embodiment of values or modes of operation described in this post may be detrimental to a DAO if applied too early. DAOs have barely entered their pioneering era and still require management by founding members or other vital stewards to lay the foundation for long term success.


AGP Vote #1 Megathread
#2

Thanks for this post Jack! I haven’t seen this level of commitment and alignment from smart contract auditors before, so very excited to welcome you to the Aragon community, and best of luck with the AGP vote!


#3

Hi Aragon! I’m Steve Marx, a security researcher at ConsenSys Diligence, and we’re also interested in becoming the security partner of the Aragon Network. Our proposal came in after the deadline for the AGP Vote #1, but we hope the community will take the time to evaluate multiple candidates for this important role and make a decision in future rounds of voting.

ConsenSys Diligence has performed two audits of the Aragon codebase, and we’ve worked closely with the Aragon One team to ensure that decentralized organizations fulfill their potential by operating as designed. We’re confident that our expertise in analyzing the security of systems like 0x, uPort, and Modular’s Interactive Coin Offering (IICO) implementation will be crucial in keeping the Aragon contract systems secure as new features and improvements are developed.

We’ve recently expanded our security services beyond performing after-the-fact audits. We now perform ongoing security engagements for our clients throughout their software development lifecycle. Instead of finding security issues at the end and rearchitecting systems at the last minute, our goal is to prevent wasted effort on insecure designs so that teams can ship safe code faster.

We hope that the Aragon community will review our proposal and consider delaying a decision on a security partner until multiple proposals can be evaluated for this key role. Thanks!

You can find our (late) proposal here: https://github.com/aragon/AGPs/pull/22/files


#4

I would really like some of Aragon’s Devs who would be interfacing with this team to comment on this proposal, do they support this? are they confident in this teams ability to deliver, are there risks/challenges/trade-offs associated with approving or rejecting this? Does it make sense to wait for Q2 so that both vendors can be included in the same ballot? Does the requested amount seem reasonable for scope?

cc @sohkai @jorge @bingen