What I find puzzling, from a legal perspective, is how any developers willingly are signing up for a 3-of-4 multisig that in principle can take control of BTC in custody with the approval of the multisig council.
Let’s be realistic, the multisig council will not be validating all code changes or have the expertise to do so, they will in fact be trusting the developers to make the right decision. The lines between decentralization and centralization are starting to blur here when there’s a handful of people making the decision.
Sobering reminder for the devs considering to participate in this multi-sig: gold standard for breaking money transmitting laws is ~20 years in jail. You’re putting your life on the line, even with honest intentions.
With that said, from a user perspective this is also terrible because you no longer trust code, but people. Yes, the developers are most likely honest, I have no reason to doubt your integrity. But once we move outside the community we have to attract people who do not necessarily trust the project team. The selling point is trustlessness, that has to be the focal point.
Wasn’t part of the appeal of tbtc v1 to attract bitcoin maxis who previously ignored DeFi due to all the trusted ramifications?
3 people is realistically all it takes to hijack the contract according to the proposal. The multisig council will listen to the developers. This isn’t even check and balances. It’s decentralization theater.
Yes, decentralization theater has been playing out for a while in DeFi, mostly without incident. But prosecutions will be ramping up in the coming years. You’re not going to want to be blurring lines here. That’s a nice little reminder that you’re more useful here then rotting in a cell. I’ve been here since e-currencies in the early 2000s, I have seen enough injustice happen over the years to know money is no laughing matter – Even if legally you’re able to get away with this now, the regulations will tighten in going forward. Multisig control has no future, decentralization does.
So what is the alternative?
Don’t assign yourself these powers over TBTC v2. Ideally, the contract would be immutable, forcing deployment of new contracts for upgrades. That’s the best approach from a trustlessness perspective.
Some projects do this successfully, like Liquity. However, I recognize the issues with this approach given that TBTC v1 stagnated. A compromise would be to let the contract be upgradable, but it doesn’t have to happen often. Every 6 months should be plenty. This is after all about having BTC on ethereum. We won’t need all the bells and whistles of the hottest DeFi degen farm. Just a simple, secure and trustless protocol that works.
Ok, so maybe 6 month is too much right after launch. Make it 3 months, heck even 1 month. But be clear about the direction. The protocol should solidify over time into a stable and trusted protocol that rarely needs to change.
These changes could be voted on in the DAO, but I would prefer there to be 90-95% consensus on any upgrade. Not holders, but 90-95% of the votes. Combined with Quorum. This will make it easy to prevent any bad changes and hard for malicious actors to change the system to their benefit.
Elected members vetoing (denying changes) should be fine as a second security check.
If you want to keep the 3-of-4 multisig + multisig council for other parts of the protocol that’s fine, I wouldn’t want to be a part of that myself (for the reasons stated above), but as long as you leave TBTC v2 alone, I don’t have too many complaints.
Similarly, the suggestion of @mhluongo to add a pause type of functionality to the multisig, but not full upgrade rights would also be fine in my view - assuming people are able to get their BTC out without permission. It all boils down to permissions and trust and we can’t have neither in a trustless BTC wrapper. Legally, you’re probably also much better of as a participant in a multisig that holds no real power. Something to think about.
Update once a month will require more testing & auditing, but will pave the way to the purest BTC on ethereum there is. Instant upgrades, as suggested, means we’re just the new clown on the block. Let’s be better than that.