Accelerated Decentralization Proposal For Optimism

31

Anthias Labs Optimism Governance Decentralization Risk Analysis - Token Contract Transfer

Abstract

In response to GFX Labs’ recent post to accelerate Optimism Decentralization, Anthias Labs has conducted the following risk analysis to make clear the current state of OP governance attack risk. This analysis is not intended to endorse or reject GFX’s proposal but rather to share the state of risk objectively so that Optimism stakeholders may make the most informed decision on how to proceed.

Disclaimer: Anthias Labs has signed GFX Labs’s Snapshot petition.

Phase 1 - OP Token Ownership Analysis

In this initial analysis, we will focus primarily on transference of the OP token contract ownership as that is the first step proposed.

The following is an excerpt from what GFX Labs proposed above:

“OP Token Contract Ownership
Unlike some competitors (like Arbitrum), the OP token has no established rights to execute code, make proposals, share in revenue, or anything else.
This manifests itself as a lack of interest in OP as a governance token, making it a struggle to convince some users to delegate or vote. In some circles, OP is actually referred to as a meme coin, and not jokingly so.
Of particular embarrassment is that the OP token does not even own its own contract. Transferring ownership of the token contract to governance is an essential first step in a credible plan to make the OP token serve its intended purpose of governing Optimism.
Putting the token contract under onchain governance oversight also ensures that basic tasks will get done, like deploying standardized OP token contracts on Superchain member chains and a reliable, quick mint-burn bridge between those chains. This is of particular urgency with the Superchain grants program scheduled to dispense 12,000,000 OP tokens to member chains, but with no way to reliably get those tokens to those chains.”

What does contract ownership mean?

It is defined here in the following Optimism contracts:

1210×560 82 KB

The function transferOwnership is called to transfer the ownership of the contract from its current owner which is this address 0x5C4e7Ba1E219E47948e6e3F55019A647bA501005 to an address owned by the governance council.

The owner of the OP Token contract has rights to all the functions present in the contract as well as access to all the functions which have onlyOwner access. Below are some of those functions:

1022×274 46.7 KB
943×116 11.9 KB

Only the owner of the contract can renounce their ownership when they wish to, and only they can transfer their ownership to whomever they wish to and whenever they wish to.

Only the owner of the contract has the right to mint the governance tokens which is a restricted privilege. Transferring ownership requires just calling a function. But the risk of this transfer is a governance attack, which we will now provide some context around.

What is the current state of OP token decentralization, and what risks might its current state pose or mitigate? This is what we will now explore.

Data on the OP Token and How this Data Connects with Governance Attack Risk

1294×792 44.7 KB

Plot 1 - Shows the total OP available for voting i.e currently delegated.

1294×792 73.8 KB

Plot 2 - Shows the total votable supply compared with the available supply.

Inferences from the above plots:

  1. The votable supply is quite a small fraction of the available supply that peaked at 16.83% 2 years ago & has mostly stagnated since then.
  2. Though the total votable supply has been constantly increasing, the available supply has increased more quickly.

1294×792 87.8 KB

Plot 3 - Shows the total collective treasury of OP collective in USD.

Let us look at how different delegates constitute the collective council, their distribution & the voting power they have.

1294×792 69.5 KB

Plot 4 - Number of recognized Delegates.

1600×729 158 KB

Plot 5 - Voting power available to different delegates.

1294×792 122 KB

Plot 6 - Distribution of Top 10 delegates with their voting power.

1294×792 96.5 KB

Plot 7 - Distribution of Top 10 delegates with the amount of OP they hold.

1294×792 63.2 KB

Comparing OP with ARB data as a point of governance decentralization comparison

The above plot shows the number of delegates required to cross 50% of the voting power. This is an important parameter as it tells how decentralized & distributed the voting power actually is. The number of such delegates for OP lies in the range of 10-15 which is moderate. This number has a higher magnitude in the case of Arbitrum.

1294×792 78.7 KB

This plot shows the ARB delegated for Top 50 delegates vs the other remaining delegates. We see that the Top 50 delegates are together needed to achieve 56% voting power. The top 240 delegates control two-thirds of the total voting power for Arbitrum DAO & around 15% of all the available ARB is being delegated compared to OP’s 9.8%.

The plot below shows the distribution of voting power among the Top 50 delegates for Arbitrum DAO. Hopefully, this plot serves as a point of reference between the two DAOs given this discussion to decentralize.

1294×792 116 KB

The monetary costs of a governance attack over the OP ecosystem.

Case 1: Attack takes place using the already delegated supply

Procedure:

  1. We take the total votable supply of the OP ecosystem.
  2. We multiply the value by 0.51 to obtain the 51% voting supply.
  3. We multiply the obtained voting supply with the historical market price of OP token to obtain the cost of executing a 51% attack on the ecosystem at various points in the past plotted as a curve.
  4. We ignore dex slippage for the moment, considering the ideal cost. True cost would be actual cost added with dex slippage.

Case 2: Attack takes place using the currently undelegated supply

Procedure:

  1. We take the total available supply of the OP ecosystem.
  2. Remaining steps are the same.

1600×241 49 KB

Above is the fundamental equation for a governance attack. The only way to avoid a governance attack is to make the profit of the attacker negative. This can be done by one or more of the following:

  • Decreasing the value of attack.
  • Increasing the cost of acquiring voting power.
  • Increasing the cost of executing an attack.

To be fully clear: What is a governance attack, and how can Optimism avoid them?

A governance attack is when a malicious actor or a group of actors gain enough voting power to overthrow the existing governance structure of a DAO & cause a hostile takeover of the governance, taking the protocol into the direction they wish to for their personal benefits.

Below are two governance attacks with details on how exactly they occurred:

  • Beanstalk: Beanstalk is a lending platform that allowed its governance contract to change the address of the owner of the collateral of the platform. It was attacked by an exploiter who transferred all of the collateral of the platform (estimated at just over 182M USD) to themselves, collapsing the platform as a result. The attack was issued by an individual who was able to take a flashloan of Beanstalk’s governance tokens and in doing so became a majority holder of governance tokens, allowing them to make dictatorship decisions in the governance contract. To overcome Beanstalk’s wait time safety feature, the attacker uploaded a seemingly innocent governance suggestion (donating funds to Ukraine) while hiding the actual functionality using Ethereum’s Diamond standard (which is a sophisticated version of the proxy mechanism). This is how the attack was not detected prior to the beginning of the voting period. The attacker also utilized the emegrantCommit() method to transfer to himself a sum that covered his flashloan, alongside over 180 M USD in profits from the attack.

  • Compound DAO passes $24 million in alleged governance attack: Two months ago, a controversial proposal in front of the Compound Finance DAO narrowly passed, allocating 499,000 COMP (~$24 million, approximately 5% of the project’s treasury) to an outside group. The proposal was introduced by a Compound Finance whale known as “Humpy,” who pushed for the tokens to be granted to a protocol created by a group called the “Golden Boys,” which Humpy also leads. This marked the third attempt to secure funding for the Golden Boys, following two unsuccessful votes in May and earlier in July. Humpy had previously been accused of engaging in governance attacks on other protocols, including Balancer and SushiSwap. Before the proposal passed, some members of the Compound Finance DAO raised concerns. Compound Finance security adviser Michael Lewellen stated at the time, “In my personal opinion, the actions of Humpy and the Golden Boys can be considered a governance attack if they persist in their attempts to take funds from the protocol in clear opposition to the will of all other Compound DAO delegates.” Lewellen further described the proposal as “a malicious attempt to steal funds from the protocol.” After the proposal passed, Lewellen wrote that “OpenZeppelin is working with all active delegates and Compound contributors to assess our options for protecting the protocol. We see serious risks to the future decentralization of the DAO as a result of Proposal 289 passing, and we are exploring options to mitigate or reverse this outcome.” This event, now two months past, remains a significant moment in Compound Finance’s history, as it exposed vulnerabilities in decentralized governance and raised ongoing concerns about the control of protocol resources.

Conclusion

Risk abounds in any decentralized system, but there are immense rewards to be had as well with decentralization, as GFX Labs outlines in their original post. OP stakeholders must weigh those risks and rewards in order to come to their own conclusions about the best path forward for the Optimism Collective. Additionally, there may be adjacent middle-ground solutions here that find the optimal value for the Collective. Our team at Anthias Labs will have more work here shared to the forum soon.

Legal Disclaimer

Anthias LLC (D.B.A. Anthias Labs) does not provide financial advice. Any information accepted here is accepted on the behest of the protocol/DAO team. Anthias Labs is not permitted to give financial advice, and nothing in this documentation should be considered as such. Anthias LLC (D.B.A. Anthias Labs) will not be held liable for any economic or otherwise monetary loss brought about by statements made in this document. This is not financial advice, and any third party reading this document should do its own research into any statement made.

4 Likes