Create a Gauge Risk Assessment Team responsible for reviewing and publishing any risks associated with protocols applying for a gauge. The team will also review existing gauges to create a comprehensive report on potential risks.
This proposal comes from the Curve Grants Council, with contribution from @Tritium (BadgerDAO).
Recent events involving the USDM pool have resulted in its gauge being killed by the Emergency DAO. New information about the Mochi protocol recently became public, revealing that there were significant design risks that made the USDM gauge vulnerable to exploit.
Going forward, we intend to be more critical of protocols applying for a gauge. This will slightly extend the process of implementing a gauge to allow for report publication. The process will be:
Gauge application is submitted to the Curve governance forum
Gauge Risk Assessment Team reviews and publishes a report on the protocol
On chain Gauge vote is initiated
Note that this team will not have the power to prevent or determine the outcome of a gauge vote. Their purpose is to help inform DAO voters of potential risks. The ultimate decision remains at the discretion of the DAO.
Assembling the Team:
The Grants Council has funds available that we intend to put toward personnel compensation. In the future, the cost of this service may shift to the protocol applying for a gauge, but for the time being we plan to bootstrap with grants funding.
The initial team will be composed of 2 paid members who will be responsible for representing and carrying out the duties of the Gauge Risk Assessment Team. Their research process is to take place publicly to allow participation from community contributors.
Anyone wishing to apply for this position should submit their resume to the grants council at Curve Finance Community Grants. Applicants should be long time community members with a deep understanding of Curve and a technical background.
A list of qualified candidates will be put to a snapshot vote, and veCRV/vlCVX voters will select hires. The team members selected by DAO vote will be compensated for a 3 month period. After 3 months, a vote by snapshot will determine either to extend or terminate compensation. Our goal with this system is to help the DAO stay closely involved with the team members and their work.
The team will review specific aspects of the protocol under review that may constitute a risk to the gauge reward system. Their investigation should answer 3 questions:
- Is it possible for any single party (person or entity) to scam (“rug”) its users?
- If the team vanishes, can the project continue?
- Do audits reveal any concerning signs?
They will report on details, such as:
- Privileged addresses, and what they have the power to do (can they rug?)
– If yes, are typical safeguards in place? Timelocks, multisigs etc.
- Multisig details
– What are its capabilities?
– Who are the members and are they credibly distinct individuals?
- Relevant platform details
– Analyze level of decentralization
– How long has platform been live? (Is it time tested?)
– Other benchmarks (revenue/TVL)
- Curve pool history
– How long have they had a pool up?
– Historical TVL/Volume
- Code review
– Is the code audited, by whom, is it comprehensive, auditor’s reputation?
– Relevant findings in the code
As this service is intended to be a convenient tool for DAO voters, the reports will be presented with consistency and readability in mind. It should be very easy for community members to glean the essence of the review at a glance. The reports should, nevertheless, be thorough and strive to create a complete representation of the platform, covering all areas of concern.
While priority is on reviewing incoming gauge applications, the team will also review protocols with existing gauges. The goal is to maximize transparency about risks to Curve’s gauge system that ultimately helps to inform DAO voters and protect pool LPs.