Author: Jango
Date: (2022-07-15)

Thesis#

JuiceboxDAO should be prepared to migrate to updated JBControllers as needed for security purposes. Its project ownership structure around a 9 of 14 multisig is sufficient to prevent unwarranted changes from taking effect without consent from protocol contributors especially concerned with risk and security.

This should be assumed until a proposal is approved to explicitly turn the allowsSetController flag to false.

Motivation#

JuiceboxDAO recently sponsored a Code4rena contest to find issues with the protocol’s codebase. The response was overwhelmingly positive with no existential changes needed, however there are a handful of security adjustments the DAO will be better off making soon, all of which re-enforce that the protocol will work as documented. These may involve migrating controllers.

Specification#

• Configure funding cycle #6 to allowSetController in the funding cycle’s metadata.
• Allow the multisig to submit a transaction to migrate controllers.
• Allow the multisig to submit a transaction to migrate ETH payment terminals.

Rationale#

It is important for the multisig to have discretionary powers over protocol contract migrations so it can act quickly if security vulnerabilities are discovered. This can be relaxed once the protocol stabilizes after further security reviews and audits, so as to restore full control to direct votes by JBX members.

Risks#

There is smart contract risks any time we introduce new code to depend on, however this already the case with the current code we depend on. The purpose of this proposal is to mitigate risks disproportionately to introducing new risks.

Timeline#

This discretionary power should last until a future proposal is approved to flip the metadata flag back to false.