Governance
Ensuro leverages Multisig and Timelock contracts to provide transparency and security for the protocol.
No major changes to the protocol will ever be made without first going through an internal vetting process that requires sign-off from several senior staff members and a public announcement with an appropriate warning period enforced by a TimelockController smart contract.
Timelocks
Timelocks require a change to be published on the blockchain in advance. The timelock enforces a minimum waiting period for execution once the change has been proposed, and only authorized accounts or contracts can propose changes.
The Timelock contracts currently in use in Ensuro are these:
DEFAULT_ADMIN_ROLE
LEVEL1_ROLE
LEVEL2_ROLE
4 days
ADMINS_MULTISIG
LEVEL2_ROLE
LP_WHITELIST_ADMIN_ROLE_ADMIN
18 hours
ADMINS_MULTISIG
WITHDRAW_WON_PREMIUMS_ROLE
RESOLVER_ROLE_ADMIN
POLICY_CREATOR_ROLE_ADMIN
6 hours
ADMINS_MULTISIG
Each timelock acts as its own admin, and proposals can be executed by one of several company EOAs once they've been scheduled and the lock time has elapsed.
No accounts, besides the Timelock contracts enumerated here, are granted the DEFAULT_ADMIN
, LEVEL1
or LEVEL2
roles at the protocol level.
Some of the RiskModules have the LEVEL1
and LEVEL2
component-specific roles delegated directly to a Multisig in some cases to allow for faster product repricing. This exception depends on the agreement with the risk partner that the RiskModule belongs to and the maturity of the product.
Multisigs
Main admin multisig.
Requires at least 3 signatures from senior staff.
Permissions:
Emergency operations multisig 1. Requires approval from all members. Used for emergency protocol pausing or unpausing. Permissions:
Emergency operations multisig 2. Requires approval from all members. Used for emergency protocol pausing or unpausing. Permissions:
Transaction signing
All members of the multisigs must use secure hardware wallets or isolated environments for signing transactions. This is audited internally as part of our compliance program with the Bermuda Monetary Authority.
Transactions are signed using Safe Wallet Multisigs as documented above.
All critical transactions, such as upgrades or major parameter changes, must require at least 3 different senior staff members to sign.
Restricted Executor
In some cases, we have integrated our monitoring system (Ensuro Forta Bot, Forta feeds, Openzeppelin Defender sentinels and internal transaction monitoring) into our automated incident response.
This requires a service account to have the ability to instantly pause the protocol in reaction to some alerts.
Given that our GUARDIAN_ROLE, which is the one used for pausing, can also unpause and upgrade contracts, we have created an intermediate contract called Restricted Executor that allows us to delegate a single operation instead of a full role.
Last updated