tldr
The goal of the proposal is to revoke minting permissions on the first two deprecated thUSD contracts as a security measure. This involves a streamlined process that addresses operational challenges under the current governance mechanism.
Background
Threshold USD has been built as a public good for the Threshold Network. Value is created for the Threshold DAO instead of captured by a protocol token.
Deployment Details:
First Deployment: thUSD Stablecoin (thUSD) Token Tracker | Etherscan was deployed on Oct/5/23
Second Deployment: thUSD Stablecoin (thUSD) Token Tracker | Etherscan was deployed on Oct/18/23
The thUSD token was designed with governable safeguards due to contracts immutability (Persistent on chain over time). One such parameter allows for control over the token mint list.
There is a balance between the certainty of immutability with adapting to new information
- The deployed contracts are immutable so users can audit and trust them
- Upgradability is preserved through a mintlist on the thUSD token contract
- Changes to the mintlist are made through a two step, time gated governance vote on Governor Bravo
- Governance votes can be vetoed by the Threshold Council
After the first deployment, it quickly became apparent that a new set of thUSD contracts had to be redeployed to correct and improve a performance feature in the stability pool, which is responsible for protecting the system during collateral liquidation processes (for details refer to the discussions in the B-protocol channel on discord).
In contrast, the second deployment had to be also deprecated shortly after its launch due to a vulnerability reported by Tellor in their contracts. Since Tellor contracts are also immutable, it was essential to update our contracts to reflect the newly fixed Tellor price feed.
Based on these discussions, a fix was implemented with the redeployment. Therefore the first two sets of contracts were then deprecated.
Proposal
As an additional security measure, the DAO should revoke Mint authorization for the collaterals on the deprecated first two thUSD token contracts. Authorized contracts to mint thUSD are the old borrowerOperations contracts for both collaterals (tBTC and ETH) of each deployment set.
Revoke Mint Process
The revoking mint capability process involves two steps on the token contract, executable only by the owner, which is Governor Bravo. The steps are startRevokeMintList and finalizeRevokeMintList, with a 90-day governance delay. This needs to be executed for the borrowerOperations contracts of each collateral for both sets of deployments.
First Deployment
BorrowerOperations for tBTC Collateral: 0xB38EE6134D20344f7Cb0DE58a2E857209F307072
(verify here)
BorrowerOperations for ETH Collateral: 0x5E8e6374605C1FA413F50fB2bF9191bE20cc0f7E
(verify here)
The current BorrowerOperations contract mint capability of the first thUSD token deployed can be checked in mintList function in ](dev/packages/lib-ethers/deployments/default/eth/v1/mainnet.json at fb15ebed750fe1e206aa2a1b01fc4ad30c324e1b · Threshold-USD/dev · GitHub)THUSDToken | Address 0xa10A5e2d813a51374592D6ce440B149F01CF9A7D | Etherscan
1. The Governor Bravo calls startRevokeMintList for BorrowerOperations for ETH Collateral (0x5E8e6374605C1FA413F50fB2bF9191bE20cc0f7E) on the thUSD token contract 0xa10a5e2d813a51374592d6ce440b149f01cf9a7d.
2. After the governance delay of 90 days, Governor Bravo calls finalizeRevokeMintList on the thUSD token contract 0xa10a5e2d813a51374592d6ce440b149f01cf9a7d.
3. The Governor Bravo then calls startRevokeMintList for BorrowerOperations for tBTC (0xB38EE6134D20344f7Cb0DE58a2E857209F307072) on the same thUSD token contract 0xa10a5e2d813a51374592d6ce440b149f01cf9a7d.
4. After another 90 days, Governor Bravo calls finalizeRevokeMintList on the same thUSD token contract 0xa10a5e2d813a51374592d6ce440b149f01cf9a7d.
Second Deployment
BorrowerOperations for tBTC: 0xf72E47D561D0dD5C685603e91c5FAF1FE92B7A8d
BorrowerOperations for ETH Collateral: 0xeed6efEdc8a709b78C9Ce108777f412628e558e7
The current BorrowerOperations contract mint capability of the second thUSD token deployed can be checked in mintList function in https://etherscan.io/address/0xac76FAB49c7b24b15d564f348C248C6791888965#readContract
1. The Governor Bravo calls startRevokeMintList for BorrowerOperations for ETH Collateral (0xeed6efEdc8a709b78C9Ce108777f412628e558e7) on the thUSD token contract 0xac76FAB49c7b24b15d564f348C248C6791888965.
-
After the governance delay of 90 days, Governor Bravo calls finalizeRevokeMintList on the thUSD token contract 0xac76FAB49c7b24b15d564f348C248C6791888965.
-
The Governor Bravo then calls startRevokeMintList for BorrowerOperations for tBTC (0xf72E47D561D0dD5C685603e91c5FAF1FE92B7A8d) on the same thUSD token contract 0xac76FAB49c7b24b15d564f348C248C6791888965.
-
After another 90 days, Governor Bravo calls finalizeRevokeMintList on the same thUSD token contract 0xac76FAB49c7b24b15d564f348C248C6791888965.
- The existing procedures for each thUSD token deployment (first and second deployments) can happen simultaneously. This means that the Governance Bravo can initiate and progress the revoking process for both thUSD tokens at the same time.
- Across both deployments, the Governance Bravo will need to execute a total of 8 function calls. This includes 4 calls (2 startRevokeMintList and 2 finalizeRevokeMintList) for each thUSD token deployment.
- The entire procedure, spanning both deployments, should take 180 days to complete. This duration accounts for two 90-day governance delay periods, one for each set of borrower operations revoking process (one for ETH collateral and one for tBTC collateral) within each thUSD token deployment.
Solution: thUSD Owner Contracts
Recognizing the operational challenge this revocation process presents, we’ve developed a tailored solution: the deployment of two THUSD Owner contracts. Each of these contracts corresponds to a deprecated thUSD token that should get its mint capabilities revoked. This approach allows for a more streamlined and efficient revocation process.
Operational Role of the THUSD Owner Contracts
These contracts, managed by the Integrations Guild, will oversee the revocation process. Here’s how they will function:
- Each THUSD Owner contract will initiate and complete the mint list revocation for its respective thUSD token collateral.
- This design significantly reduces the complexity involved in the revocation process, enhancing the operational efficiency of the DAO.
- The contracts enable the Integrations Guild to transfer ownership of the thUSD tokens back to Governor Bravo when necessary.
Addresses of the THUSD Owner Contracts:
thUSD Owner Contract for 1st Deployment: 0x883fC0B2EF845603a5c9012172e7F8c34c28d63
thUSD Owner Contract for 2nd Deployment: 0x033951c469e54ef19Be43B19c70a4DD273026468
Request for Ownership Transfer
The core of this proposal is to request the DAO to approve the transfer of ownership of the deprecated thUSD tokens to the THUSD Owner contracts. This transfer is crucial for implementing the outlined revocation process expeditiously and securely.
Governance process for ad-hoc security issues
This proposal is an ad-hoc action guided by the IG and the thUSD workgroup to enhance security and protect the community by disabling a functionality and avoiding confusion with the new thUSD deployment.
This forum post should be active for 7 days to allow adequate time for questions and discussions. If there aren’t major issues or setbacks the voting process with enacting transactions will be triggered directly on GB avoiding the normal temp check process via Snapshot.