Objective

The goal of this proposal is to modify the current multisig appointed in [WIP #21].

• Modify the multisig members based on legal consultation.
• Improve the multisig efficiency.

High Level Details:

As a result of WIP #28 and WIP #30, five officers have been appointed to Wonderland Core Team.

As a recommendation to reduce liability on core team members, they should not hold another sensitive position to the protocol’s security.

It is also recommended that Wonderland refrains from publicly doxing the individuals participating in the multisig, as it is not a paid position and the DAO does not cover potential security issues nor the costs to limit the risks that may arise due to this role.

Provide Low Level Details:

In order to achieve the objectives above, here is what is being proposed:

• Remove @NalX from the multisig
• Will be removed after the new signers have been added.
• Add two new members to the multisig
• One neutral party and one community member with no official or unofficial role in Wonderland (e.g. officers, treasury operators, moderators).
• Keep the multisig requiring three signatures to execute transactions (3/6).
• This aims at improving execution time while sacrificing limited security.

The team has already identified two additions experienced in working with a multisig. One of them has extensive knowledge that will be useful to create complex transactions when required. This is something that current signers could not always cover and had to ask the Technical Officer for assistance. Both can read and verify the needed information, are diligent and active daily. Activity times (timezone) overlap with existing signers, so establishing an organized structure with an additional member will ensure fast and frictionless execution times.

Before anyone is added to the multisig, they will be internally doxxed to the Operations Officer. The Operations Officer will verify their identities and background and make sure they are not affiliated with other protocols that would create a conflict of interest. The data will be encrypted and given to the legal department, for additional security and accountability.

These changes will improve the efficiency of the multisig, which is currently sub-optimal, while adding another layer of security and keeping identities protected.

Business and/or technical requirements

If this passes, the new members will be added to all multisig and communication channel. Once it is done, Nal X will be removed.

Since an RFC is a “work in progress” Proposal, not all of these points need to be filled out from the beginning. They can be added over time as the RFC evolves into a mature Proposal.

Who is being proposed to be added? It wasn’t specified which is important and transparent.

This means the individuals in the MultiSig won’t be doxxed at all anymore to the public as advised by legal for security reasons, theirs and MultiSig’s. Instead they will get fully doxxed internally only to OO and legal. I think there is an exception for individuals already exposed to the DeFi world and they have their security sorted. I don’t have more information about it, @Bamchicka who is in contact with the legal firm probably can verify and provide more information.

Doxed in crypto refers to someone’s real identity as in legal name. Simply identifying them by their discord name isn’t doxing. If a law firm made this recommendation do you have a the written legal opinion from said firm for transparency?

I explained the situation to more than one person and firm - and the most often mentioned recommendation was to either ensure full security for these people, which we can’t do - or dox them as less as possible.
Sure, we can add some discord names to that, but that already exposes them. It really isn’t that hard to doxx somebody.

People like Sky and dafacto have their own cyber and rl security, “normal” users are rather simple to doxx based on their discord and twitter names.

Our multisig isn’t small and it’s a middle way.
I’d rather be overprotective and use the extreme way than be responsible for wrench attacks.

Can you explain who the legal department is? Wasn’t aware we had such a department.

Think that was an oversight on my end, it´s the legal advisor company we hire. Not an inhouse department. The law firm we will be onboarding with as client. Several options here still, so I couln´t name them and probably used a confusing term, sorry.

So you realize the optics of this right? An anon is asking the dao to add anon people to multisig based on some anonymous legal firms advice. Zero transparency to the dao and doesn’t instill confidence to investors.

Well we can wait to be a legal entity before to address multisig performance. Won‘t change the proposal.

I want to get on board with this, as I understand the issues put forward in the proposal and I agree it needs to be worked out to better protect our team. At this stage I can’t though, as it’s just too discreet. I would be more comfortable with this approach after a law firm has been secured and the community has had time to become familiar with them. In addition, I’m just not comfortable with the lack of detail regarding the individuals. I recognize the need for security but I believe it’s possible for this to be upheld while still offering more information to allow for members to have some idea of who is managing the last gate of protection for the DAO’s treasury. The multisig is a special set of people who hold the final keys to the chest, it’s very difficult for me to be comfortable not having Any info about them other than an internally produced description of their skill set.

This is a difficult issue to juggle, I understand that. I don’t want to come across as disinterested. I appreciate the initiative and want to see something come of this, I just don’t feel comfortable with it in it’s current form.

What are some costs associated with establishing the security necessary for multisig members? For instance, what firewalls do Sky and Defacto pay for to provide them the level of security necessary to feel comfortable being on the multisig and having their alias’s (or even identities) doxxed?

I feel this would be a very useful discussion to have with the DAO, to allow the community a chance to decide if these costs are potentially feasible to provide our multisig members and even other team members a comfortable level of security so as not to need such secrecy. I personally feel there is an assumption made in this proposal - that the DAO would prefer the lack of transparency over eating some cybersecurity costs.

3/6 does not sound secure. Especially when the community cannot even get their Discord name to make their own judgement based on message history etc.
1 anonymous 3rd party was cool. This is too much

I do not approve

Costs associated with security vary wildly from person to person. Some, like Dani and Harry, have guards and multiple secured homes. I have a lion.

If Wonderland were to itself propose a security package, and it turned out to be insufficient, the liability could be extraordinary.

Maybe I’m misunderstanding the security needs being considered. Is the need for secrecy due to life threatening security or due to doxxing and liability concerns that come along with doxxing?

I can’t imagine we would provide life-safety security to any team members for quite some time, but I would find it feasible to provide for some expenses that may increase the privacy firewalls of the team.

Guys I don’t like this. It’s all a bit too vague and shady. I get the security point, but do we really want someone on our multisig that can’t even detach their Discord from their Twitter?

At least Discord name should be given, public knowledge to the DAO. We can’t be going and creating some elite core at the centre of a Decentralized organisation, plus we as the DAO have a right to know who’s on the multisig.

Love you people, but I don’t see this as any different to that time Dani added some random to the Multisig and was like “yeah it’s cool because he knows a guy I know and so it’s all gravy”

It’s a No from me.

I was thinking wrench attacks.

I’m not sure yet, I need to get consultation on this still, but I suspect that this type of activity will only increase the liability concerns for elected members. Every time the community has to rely on the guidance and decisions of the elected members, without sufficient information to arguably be able to make the informed decision themselves, team members responsible for the arrangement might be considered additionally liable - in the event of legal or regulatory action being taken against the DAO.

It would concern me if the team takes actions that have the goal of limiting liability, only to transfer that liability onto themselves. These liability concerns that we have for the multisig members, they are not limited to multisig members, other team members are subject to the same concerns. I recognize the need for limiting information and totally agree with the advice from the legal experts mentioned in the proposal, but I think this level of secrecy is taking their advice a little further than is practical. I believe there are other ways we can resolve these liability concerns while also allowing for sufficient transparency for the DAO to make an informed decision on the matter without relying on the personal recommendations of the elected team.

I would say mufkisig members are at much higher risk of this type of attack. The goal is to extract keys for the treasury. Other than Nal, officers don’t have keys to the Treasury.

Legal liability is another story.

I see what you mean. I have a feeling it’s not an exceedingly dangerous position for someone. Yeah, there is additional safety risk by default, but it’s not that much more than most folks experience on a daily basis within their communities.

The danger of wrench attacks is low, especially with the multisig needing so many members to pass anything through. That additional security measure for the DAO is equally an additional preventive security measure for multisig members. Any individual or group smart enough to actually execute an attack with a plan to steal would be aware of the multisig firewall. Many doxxed people in the public eye present an easier target, with their home addresses sold on maps to tourists - no armed guards at the gate, they jog like everybody else.

There are many things that got taken into consideration here, mostly stems from the observation that it is nearly impossible to comply with the wishes of fast execution on our current multisig constellation.
Removing Nal to reduce his personal liability and not have team members on the multisig will make that even harder.
Anybody on the multisig right now should (out of liability not only for themselves, but also for the DAO) fulfill some minimum requirements, to limit the risks.

Daniele wasn´t really kidding when he said that nobody wants to join Wonderland multisig.
Yes, I am sure somebody will step up now and say “pick me, I don´t care”; but I doubt that person will have put too much thought and research into that decision and be qualified. Which is something we´ve already had twice now (YC and Tikka) and keeping candidates complete anon solves that for them.
I don´t doubt that they will, in time, be open to at least put their discord name to it, but when we talked about the possibilities the above presented solution was a “sure I´ll join” vs a “maybe, it´s a lot to ask for”.
I doubt there are many protocols out there with that many disgruntled ex investors and our treasury isn´t considered small.
This is a rather radical solution, I agree with that. But it also offers radical protection on both sides.

We used to have the names (doxxed and anon) of everybody on our sig and no idea who these people were. That is something pretty normal, all you get is a list of anon names. Doesn´t take as much as many might think to doxx somebody from that info and it takes only one person that has a bad history with Wonderland to do that and step out.

Alternatives like adding and adding more and more, ending up with a 5/8 or similar constellation are unlikely to solve that, ever. The absolute most efficient multisigs I´ve seen are team held, very small and full of pro´s. We don´t have that. Execution times of days and days are out of the question. Randomly adding more people is out of the question.

I was approached with this idea by somebody that listened to the AMA with Dani and is involved with two other protocols as signer - took it to the lawyers and they confirmed that it´s the absolute most secure way. In the end - what exactly does the anon name say to the community that makes it important to know it? To be able to call them (random name) David instead of signer 1?