This is an excerpt from the Threshold blog with the relevant portion for this conversation. This is a place for the Threshold community to start brainstorming better solutions for this mechanism or discuss eliminating it entirely.
The second bug — redemption mechanism design flaw
The second bug became apparent as we prepared the first patch.
The Threshold DAO can delegate to multiple approver addresses in the
Unfortunately, as of today, there has only been one delegation to a single maintainer address — a single point of failure. Today, that address is controlled by a US-owned company, disallowed from approving the FTX-associated redemption.
Fixing the mechanism design
Only having a single delegated approver with $25M in TVL was an oversight. Still, the bigger issue is the mechanism design itself.
Any system relying on the explicit approval of a redemption is bound to have another issue like this. When the protocol first shipped, the rationale for an approval mechanism was speed and user friendliness — alternatives meant a worse user experience.
I don’t believe the current system has made the right tradeoffs.
There are two clear approaches to fixing this flaw
- Move from an approval-based flow to a veto-based flow
- Remove all redemption review at the protocol level
I believe the safest mechanism design, going forward, is something I call “optimistic redemptions”. Instead of a list of addresses that finalize redemptions, we have a list of addresses than can veto a redemption — similar to the Guardian role in optimistic minting.
With this mechanism in place, all redemptions are valid by default. If a redemption is vetoed due to a suspected bridge hack, it can be delayed. If it’s vetoed by enough guardians, it can fall back to a token-holder vote. If the veto is upheld by a token holder vote, the rejected tBTC redemption can be automatically returned to the redeeming user.
The downside is that this hypothetical mechanism requires an additional delay for each redemption. Over time, though, that delay could be shrunk to as little as 15 minutes, and entirely waived for small transactions.
Finally, if and when the community judges the system secure without a redemption review period, it could eliminate the delay altogether, smoothly migrating from the first approach to the second. In fact, I think a clear schedule to removing redemption review would help build confidence across the community.
However this mechanism design flaw is resolved, we’ve learned a ton from this experience — and I’m glad we learned it this week rather than 10x from here.
The DAO and community have decisions to make.
Whether the community decides to add another approver address, upgrade the contracts to an “optimistic redemption”-style mechanism, or research and consider other options, as a dev team, we’re here to advise, and help build a more robust, secure, and neutral future of finance, together.