Proposal to pause Governance Fund voting cycles till minimum viable decentralization is achieved

Optimism is experiencing rapid growth, but this is a double-edged sword. Currently, Optimism is a centrally operated network where, as far as I’m aware, unknown entities across Optimism Foundation, OP Labs or associates hold complete rights to produce blocks and all funds in the bridge. I hold rollups to a much higher standard than this, a similar standard to Ethereum itself, and currently it’s not currently being met.

Of course, I’m looking to be pragmatic and understand the lay of the crypto landscape - and acknowledging the competition - like Solana, Cardano, BSC, Arbitrum etc - are also very much unfinished, in different ways. This is an industry where people are willing to take massive risks on unfinished protocols, which is why I’m supporting Governance Fund proposals thus far. However, it’s important for this to not get out of hand. It’s not just that Optimism can run away with all our money - they have proven to be reputable entities - but it also comes with significant regulatory risk. If Optimism becomes a multi-billion dollar network, it’s almost certainly going to catch the attention of the authorities, particularly with its ties to the USA. The bigger the network gets, the exponentially greater the risk for a black swan event becomes. I believe Optimism should be focused on building for the long term, over a 10-year horizon. It’s not worth taking any undue risks in year 1.

I believe we have achieved a pretty good spread of incentives across a number of protocols already, with incentives set to flow for the next 6 months or so. Some of the first projects have gone live with incentives, with a majority yet to follow. We have seen TVL and interest in Optimism skyrocket, and there’s more to come. The $OP token now sits at an FDV that’s only behind BTC, ETH, BNB, ADA and SOL, at this moment on par with DOT.

This is where we have to strike a balance, and pause further voting cycles till minimum viable decentralization has been achieved. To me, minimum viable decentralization looks like:

• No backdoors for Optimism Foundation/OP Labs/centralized entities to the smart contracts. So, no centralized entities can make emergency upgrades without notice. Instead, most upgrades go through the regular governance vote, with an emergency council voted on by stakeholders. I have some thoughts on this earlier, but it can be simpler than this.
• Some simple way for anyone to build blocks if the Optimism Foundation/OP Labs sequencer goes offline, perhaps have a whitelist voted by governance that can just replace the sequencer. Properly decentralized sequencers not necessary, but hope to see build up to that.
• Semi-permissioned fraud proofs: Fraud proofs are live, and perhaps we can have a whitelist approved by Optimism Foundation and/or governance. Like sequencer, this is a 1-of-N assumption, so I’m not too concerned if it’s not permissionless to begin wtih - though that should certainly be expedited.

In short, it’s unacceptable that Optimism Fnd (and associates) holds a backdoor, there are no fraud proofs, and it’s not acceptable that only Optimism Fnd can produce blocks. To be clear, it’s fine if Optimism Fnd produces blocks most of the time, but there should be a backup if it cannot.

So, practically, what does the roadmap look like? We will certainly have to wait for Bedrock till these can be implemented, so I’m looking at Q2 2023. I expect current incentives to run though mid-Q1 2023, so there won’t be too much of a lag.

Finally, I’m not saying we should shut down all Governance Fund proposals - we can definitely have a committee which pre-approves certain exceptional/urgent proposals that make a big impact with low risk. I’m just recommending pausing the traditional process and delaying Season 2 till MVD is achieved.

I really get your point, but I don’t quite see that it’s a matter of waiting until certain decentralization is achieved. I would suggest a debate on what projects we should support in order to grow long-term sustainable growth.

I think we need to change the usual speculative game and learn how to judge a proposal, not by how it sounds but by the ultimate incentives of the ones who have to develop that proposal. In other words: it’s not a matter to wait for optimism to be decentralized enough so we can fund proposals, but to be sure we’re not giving money to people promising great things with no intention to make them real.

This is the third time you are raising this concern and i get the lack of engagement on your suggestion.

I remember reading somewhere between this line
“those who are not trying to fix the fault are the one gaining most from the said fault”

What you are saying is true and in current form we do have problem that need to be fixed. Central block producer and no fraud proof is common concern i hear when i look beyond our gov echo chamber.

users not willing to move their fund from main net because of this and I cant prove this, consider this as just me intuition, whales and organizations are also waiting for these issue to be fixed before moving their funds over. Or may be those moving millions will simply stay on main net as they wont mind paying gas fee for the security of the L1.

We have a twitter space coming Monday on Bedrock, lets see if we get some time line on when it will be live.

So far we have distributed over 50M OP token which should run through Q1 23 like you have said and we can easily pause the fund distribution until then.

others might suggest, lets not pause but look at proposal individually which I dont agree with. If we continue to accept the proposal, I cant Vote No just because there is no fraud proof, its not their responsibility to implement it, then only option left for me is to Abstain.

Lets focus on OP Citizen house and complete at least one round of RPGF in next few months and we can resume gov fund early next year.

I am small delegate and voting against or far has very little impact on final decision, but just putting my thoughts here and supporting this proposal.

Considering this and the risks we face. I would like to add the fact that some of the protocols/projects submitting proposal will face stronger stress and security tests in the coming months with more users taking advantages of current+approved incentives. This also means, more eyes and hackers ready to take advantage (reward is higher now than before).

Meanwhile we have concerning attacks/exploits/whatever going around (none directly focused on optimism projects) nevertheless the risk is real and it seems to be increasing (it should be expected, nothing really new). On the other hand, if any project giving incentives via this grants is exploited I don’t need to say what the Optimism Collective may be forced to do.

That said, I don’t see any issue pausing the Governance Fund voting cycles until we reach some Minimum Viable Decentralization mechanism/strategy. We have enough incentives to keep momentum and pausing should incentive teams to improve what they already have, reaching better proposals in the future instead of rushing them. Also, I don’t want to see this trend of teams updating their proposals while the voting cycle is live. We need to improve how the governance works before we start the new season. Btw, I consider this part of the decentralization process.

Thanks for the comments. I just want to stress that particularly the higher the TVL in Optimism’s (centrally controlled) bridge grows, the greater the risks. Of course, this is not the only risk - there are many others that come with a growing ecosystem - but this is the easily quantifiable one. This is the reasoning behind balancing $OP incentives, and not over-incentivizing so Optimism grows too big, and the risks increase exponentially. One approach would be to continue incentivizing protocols which may not incentivize TVL, but rather activity in some other way that does not directly increase this particular risk.

This is a really interesting proposal, and one that’s had me thinking all day.

I’m not quite so concerned about the regulatory factor, though obviously it’s relevant, the aspect that really seems important is that we’re creating incentive structures to encourage people to move their assets to Optimism, but without making it explicitly clear what the risks of doing so are, regarding the centralization factors you’ve listed (upgrade backdoor, the sequencer, lack of an escape hatch and lack of fraud proofs).

I don’t feel as strongly as you that these must be in place before we process any more proposals, but I’m not dismissing that as a possibility.

As per our exchange earlier, I do think it matters where users are moving their funds from to onboard to Optimism, it would make a difference if they were sacrificing decentralization/security without realizing (e.g. moving from Ethereum and assuming that Optimism’s current model was some kind of a Platonic Optimistic rollup as described by EthHub or Finematics or something) or if they are moving from an equivalent or worse level of decentralization/security (from Boba/Metis etc or an Alt L1 like Solana or EOS). In the latter case I would not think we had any reason to feel guilty for encouraging the move!

Part of the problem can probably be solved with information. If new and existing users are aware of the current state of Optimism and the future roadmap then they can make an informed choice and again, I don’t think there is a reason to stop encouraging them. This is obviously a difficult solution though as without control of all the bridges users are utilizing to onboard assets there isn’t really a way I can see that this information can be presented. Nevertheless, the foundation producing and promoting more info on what the rollup is now and what it will be like once the BedRock and Cannon upgrades are made would be an easy way to make some progress on this.

Once we have a clear roadmap, then perhaps it might be that your suggestion of pausing the onboarding incentives is the correct course of action, though like you say, that won’t mean all governance fund proposals, some (like Rotki which all of us in this thread voted for) aren’t really designed to increase Optimism’s TVL and so would presumably carry on.

I’d definitely like to see some analysis on where the degens are coming from. Once again agreed that proposals that don’t really increase TVL or direct economic activity should be fine.

TLDR: You’re highlighting critical risks that many have yet to consider and risks that need to be addressed, but the solution you’re suggesting is a red herring.

I think this is most effective solution mentioned so far:

Assuming all the mentioned risks can have a material impact on OP and the Collective, then education (i.e. well structured information) needs to be at the heart of the solution.

Waiting for a utopian(?) level of decentralisation before carrying out key activities may hobble long-term progress as this may always be a stretch goal on the horizon, but keeping the community (and it’s new and prospective members) well informed via digestible resources can bridge some of the risks in the short to medium term.

If people have available resources to know all the risks, and ultimately the current stage of development of the project, then this will let people make there own decision as to whether they want to onboard to and remain with Optimism.

My suggestion (aside for resolving the technical flaws themselves) is to create educational resources/content that are either, or both, highlighted within official Optimism channels or extend beyond the internal community.

It’s not a risk just for users, but also operators and the protocol itself. I’m definitely not waiting for any utopian level of decentralization - indeed the title calls it minimum viable decentralization. In an ideal world, even this would be pretty unacceptable, but I’m willing to recognize this is a space overwhelmed by degens and finding a compromise there.

I’ll concede the “utopian” wording as an error, and accept your minimum viable decentralisation. But my point was about halting activity based on a subjective standard, as what’s minimum to you or another may not be the same, and this may lead to paralysis because we may never reach a point that make’s everyone happy. I hope this intention has been communicated better this time and I’m sorry for being extreme in my wording, i.e. “utopian”.

And yes, I’m aware that this is a risk not only for users. That point was never meant to be in contention.

The overall goal of my reply was to (a) acknowledge the risks you are trying to bring to people’s attention, and appreciate your concern and motive (b) accept and agree that a minimum level of decentralisation must be achieved in the shortest space of time possible, which allows us to continue towards full decentralisation (c) but not necessarily agree that delaying Season 2 for 9 -12 months is the best course of action to address the valid concerns you raise, and (d) suggest that other solutions, in parallel with acting upon decentralisation, may be a preferable (although not perfect) course of action.

Thanks for your time @polynya

EDIT: I’m open to compromise too. I think halting the Governance Fund activities for too long may stall the momentum and community activity that is one of Optimism’s non-technical advantages, and this is one of my fears of your proposal. But something akin to a 3-6 month pause of activity may both reduce the risk of too much OP circulating about, or locked up, too quickly prior to MVD and reduce the risk of this project stalling or becoming stale. I.e. I’m open to a shorter pause.

Just to clarify, I don’t think this is a complete solution to the issue Polynya is raising. I don’t see how we can ensure that people aping in will be exposed to, for example the L2Beat page, or whatever form the education takes. If users understand accurately the security and decentralization of Optimism then I’ve got no objection to continuing to incentivize them to onboard funds, everyone is responsible for their own risk assessments, but I’m not entirely sure how possible it is to provide rollup literacy broadly enough.

@polynya thank you for opening this discussion thread, awareness is the first step for good changes.

In this case I’m doing echo of not pause everything knowing that there are proposals that can genuinely contribute to the network and ecosystem and that it does not necessarily contribute to an “unstoppable” growth of TVL without taking into account also non-monetary use cases that are nice to have.

Correct, in fact I want tell you guys that I’m currently building with latam contributors an open community called L2 en Español where our first step is the understanding how early are these networks and should be considered as experimental. Again, in case of Optimism the awareness is, if you want to be early in its use and development, you will be indirectly rewarded with governance tokens in some way, and nothing more than that.

Bedrock is expected for Q4-2022, but even when the minimum viable decentralization is reached, is this acceptable in the criteria if we take it absolutely? Sadly this is no longer a problem that concerns only Optimism, but is part of the perhaps incomplete commitment of the Ethereum (network) in its future based on Rollups, where the exploits do not seem to be reversed in favor of the same community that encourages their development, and I’m always thinking about how the Ethereum community could mitigate major incidents (even if all neutrality is lost).

For now it is something that we will have to live with, it doesn’t matter if it has admin keys or not or how much centralized is, rollups are still far from passing the test of time (seen as safe, and enshrined rollups isn’t a real posibility for now) while at the same time they are the application that most concentrates the number of users.

Just wanted to share these thoughts.

(I work for OP Labs, but this is 100% my own opinion.)

Your criticisms of the state of decentralization are of course valid. I would say they are well-taken, but honestly, we can’t really go towards these milestones any faster that we already are. We are focused on Bedrock, which is a pre-requisite for Cannon (fault proofs). Cannon will most likely be one of our next priorities.

As for suspending grants before these milestones, I believe if that’s what the Foundation wanted to do, it would simply have waited until these things were implemented to launch the token!

I think we need to do things right, but we also need to stay relevant to people who care less about decentralization and more about other metrics, which right now means growing the ecosystem. Polygon has been on the extreme of pursuing this strategy, being a side-chain that is now aggressively investing into rollup technology. But they invested heavily in the growth of the system on the way there.

These things are not in tension: having governance distribute grants does not slow down the dev team in any way.

In terms of risk - these risks of course exist, though a technical point is that because of the withdrawal delay a lot can be done to mitigate issues that might occur. I’m more worried about the security of economic bridges in case of an incident (i.e. I’d really love to know that they are running replicas and are running custom on-chain monitoring).

Surely you have to be worried about having billions of dollars in your contract and being sanctioned by the US Treasury? Optimism is operating as a central point of failure. The more TVL and economic activity you take on as a fully centralized chain, the greater your risk becomes. As mentioned above, an emergency council can achieve very much the same thing in terms of recovering from bridge failures, while mitigating centralization and regulatory risks. This would be more in line with Polygon PoS, as it stands currently Optimism is more centralized than Polygon PoS.

I don’t want to belabour the point, though, it’s clear there’s not much support for this proposal - I just hope there’s a bit more awareness. So, I’ll just keep personally rejecting all proposals that pile on the above mentioned risks, particularly ones that come with significant regulatory risk.

The security considerations are justified

I completely agree with this. Would be nice to see some response from the foundation on this. I see @norswap from Labs commented but still would be nice to hear if there is any update on the roadmap and if going towards acceptable decentralization can go a bit faster.

I think we can all agree for the reasons you stated Optimism is quite centralized at the moment. Even the governance shows this. We all vote on proposals, following guidelines set by the foundation and then we rely on their good will to execute. In a normal DAO the on-chain transfers for example would be controlled by the DAO/token holders.

I get that things take time, but seeing a renewed timeline or commitment to true decentralization would mean a lot.

Now for the question on whether to halt funding any grants until decentralization is achieved I am not sure I understand the connection there. Can you maybe explain in a bit clearer way @polynya? Is it for fear of consequences on the foundation since in reality it’s all under their control and disbursing funds to a project that turns out to be criminal could hit the foundation?

I didn’t want to speculate on “what could go wrong” because usually the consequences of high risk and the resulting black swan events are often unanticipated. But consider that Optimism is basically like a CEX currently and comes with all of the same risks:

a) Due to negligence (malice I think is very unlikely), Optimism’s multi-sig is compromised, and the malicious entity executes an upgrade that could be as bad as draining all funds in the bridge.
b) Hackers only need to target Optimism Foundation and its founders, employees etc. Or worse still, kidnappers looking for a steep ransom or whatever.
c) US Treasury or some authority wants to sanction an app or a user on Optimism for whatever criminal activity. If it’s an immutable contract ala Tornado Cash, their best method of attack is to simply sanction members of Optimism - who as far as I know are US citizens. Now, the details of their multi-sig is very much obscured, and I also don’t know about which jurisdiction(s) Optimism Foundation comes under. But the fact that there’s no transparency about any of this is a big problem.
d) Alternatively, an authority can force Optimism to censor certain users or dapps, enforce an irregular state transition, freeze funds - Optimism can do any of that, really, while Optimism Foundation maintains an emergency backdoor.

Now, the bigger the TVL, the more the economic activity, Optimism becomes a signficantly bigger target. While its TVL is <$1B, it’s OK as a beta product. But as we go past $2B, and with more incentives flowing out unthrottled, it could be $5B, and it could end up being the biggest target after Ethereum itself. Ethereum is very difficult to attack, but Optimism - you just need to compromise their multi-sig.

Of course, some may say all of this is dramatic and unrealistic, which is why I didn’t want to go into more details. But my answer is simple - Ethereum was designed to be maximally robust, decentralized and secure, that could survive under the most extreme of black swans. I’m holding Optimism to the same standard.

I have suggested pragmatic steps multiple times - even moving to an timelocks + emergency council like zkSync has done for over 2 years now is a big step forward, versus a non-transparent multi-sig.

You are absolutely NOT being:

Irrespective of whether the Governance Fund is paused or not, I think these security and centralisation issues are critical. They are very high impact risks, and their likelihood increases in proportion to Optimism’s growth. Thanks for bringing this to the attention of the less initiated (like me!).

Well done, and keep pushing. Let us know if there is anything any of us can do to help.

Hey @polynya , thanks for voicing your concerns here in a thoughtful manner.

I agree with much of the sentiment here. My primary takeaway is that we at the Foundation need to be doing a better job engaging with the community on the post-Bedrock roadmap. With Bedrock significantly simplifying the protocol, the path towards implementing many of the improvements you’ve listed becomes much more straightforward. We clearly haven’t talked publicly enough about this, and will work to correct that (in longer form prose) in the near future.

Speaking in my personal capacity, I’d say that, of the three points above, a security council seems like the lowest hanging fruit, with sequencer decentralization as a fast follow.

As for semi-permissioned fault proofs, I see this as a potentially useful milestone, but not as an outcome in and of itself. I want to emphasize the importance of a “weakest-link” security mindset and am wary of creating a false sense of security by implementing gadgets which do not fundamentally change the security model. At worst, these gadgets may even harm it by introducing complexity. All development milestones should be driven by what will bring the technology to production fastest.

The community (Foundation included) should absolutely continue to drive towards productionizing fault proofs, and a mainnet bug bounty with the proof system could be a useful milestone. But I do think it’s important that we decouple the conversation about security models from conversations about how best to productionize fault proofs, which has more to do with introducing redundancy than accelerating a permissioned rollout.

Anyway, again, you are right to bring this up right now — it has been a very big topic internally even before your posts — and affirmative community engagement on this critical subject is invaluable. Really appreciate your deep thought as always, and look forward to picking this up soon!

Do we take from this that there is already a plan for decentralization, it just hasn’t been shared yet?

When this is made public, for my own take on these concerns I would really appreciate it if the current state is made explicitly clear. I think that users who don’t use L2Beat or read the documentation probably do not all understand the current centralization or potential risks and therefore would benefit from this being explained by the team. Maximum openness and education in your communications seems like a good strategy!