Risk Pod: Pod Creation Proposal

This proposal asks to establish the Risk Pod within Gro DAO. This proposal will be open for comments over the next 3 days. If no substantial changes are required, it will then be open for voting for another 5 days.

Mandate

As Gro DAO further decentralises, I propose forming the Risk Pod to:

  • Provide independent risk assessment for decisions on proposals, such as strategy whitelisting, before they are submitted to governance votes
  • Provide feedback and analysis on risk levels of suggestions from other pods / committees when requested
  • Create and maintain documentation on risks to Gro protocol
    • This will include a comprehensive list of threats
    • Each threat will have a mitigation, alert (as required) and response plan
  • Engage with third parties for additional expertise in better understanding Gro protocol’s risk exposure and improving its risk management practices
  • Submit proposals to Gro DAO to help address and mitigate risks

There is already a risk channel created in the Gro DAO Discord server. This proposal seeks to formalize the Risk pod, which would lay the foundation to improving risk management to advance the DAO’s mission. The risks faced by Gro DAO have been preliminarily outlined in this separate document.

This does not include executing on smart contract audits or bug bounty programs, which would be under the Groda Product Pod’s purview.

Composition

Following the framework suggested in this post, the Risk Pod can include individual and entity contributors alike. The pod could have contributors on a regular, full-time basis as well as those contributing on a part-time or project basis.

I would also propose myself as the Risk Pod’s facilitator. My current role is as President of DeFiSafety. I have extensive risk based experience, both from 2 years of DeFiSafety and more from my time in aerospace. I have spent the last 2 years studying DeFi security exploits.

I would commit to a minimum of 4 days per month, maximum of 6, depending on the workload. This would be for a fixed compensation of US$5,000 per month (averaging $104-156 per hour which is in line with benchmark figures outlined in the Aave RiskDAO proposal here), plus 18,000 GRO tokens per month with 12 month vesting to align long-term incentives.

Budget

For the next 6 months, I propose a budget of $100,000 USDC that will be transferred to the Risk Pod operational wallet if approved.

Budget breakdown (first six months): $100,000

  • 1 facilitator: 30,000 USDC over 6 months
  • Projects or part-time contributors:
    • Exponent Real time DeFi risk metrics $53,000
  • Buffer (additional part-time contributors or services): $17,000] USDC over 6 months

For check and balance, the operational wallet will be a 2-out-of-3 multi-sig with Risk Pod facilitator and 2 contributors in the People Pod as signers. To facilitate day-to-day operating expense payment, the Risk Pod facilitator will be designated as beneficiaries to a spending limit on Gnosis Safe. The spending limit is defined as all budget to be sent to operational multi-sig listed below excluding the Risk Pod facilitator cost. The Risk Pod facilitator compensation will require at least 1 signer from the People Pod for payment – it should by default be paid out unless the pod acts maliciously, goes missing, or otherwise goes off-path. The operational wallet’s address and signers will be published once set up for transparency.

Given the above figures, the spending limit under the Risk Pod facilitator’s complete discretion would be $70,000 USDC.

Actual spend will be reconciled with the budget at the end of the 6-month period. Any unspent budget will be returned to the DAO treasury after the reconciliation.

Reporting

Risk Pod will update the DAO on its progress regularly through the community channels such as Community Forum, Discord, and Telegram.

In addition, there will be a quarterly report to summarize progress achieved and high-level plans for the next 3 months on the Community Forum. The second quarterly progress report will coincide with the 6-monthly budget report outlining actual spend and proposing budget for the next 6 months.

Conflict of interest

I also work as President of DeFiSafety. This is advantageous to both GRO DAO and DeFiSafety. GRO DAO gets the value of my significant risk experience and contacts. DefISafety better understands the inside operation of a DeFi protocol. It is win-win.

However when GRO DAO contracts DeFiSafety for work, for example in the Framework proposal, there is a clear conflict of interest. For these commitments, I suggest they go to a full DAO governance vote. This will take place just once per year.

Next steps

This proposal will be open for comments over the next 3 days. If no substantial changes are required, it will then be open for voting for another 5 days.

3 Likes

I’d like to express support for risk pod formalization.

I believe the facilitator role for risk pod would require security rigor, understanding of DeFi ops, process evaluations and project management, which I think @Rex_DeFiSafety experience is a good fit for.

some comments:

  • I think it should be prudent that a risk pod member would be an emergency multisig signer as outlined on the org diagram. Especially given the role and purview of the pod within the larger DAO- ability to initiate transaction and affect changes under emergencies seems prudent.

  • along the same line as :point_up: it should be clear that the performance indicators of the pod will be tracked on providing assessments, recommendations and in broader term: sense making- since there is a reliance on the rest of the org to take actions and follow the security guidelines, ie. Opsec/ DevSecOps methodology is largely dependent on the product pod and other DAO members to follow.

  • the OP has described conflict of interest with the referenced framework proposal, I’d like to point out the overlap between role and responsibility of the facilitator and the aforementioned proposal, ie. security process documentation. It might be wise to update the latter if the Risk pod creation is first formalized? or another option being to include the latter within the budget as a work in-scope.

Thanks for drafting a proposal to formalise the risk pod :raised_hand::raised_hand:

Some reflections

  • Execution: Great to see a proposal that is not just about assessment/observations but also involved in execution like documentation and developing response plans etc!
  • Monitoring options: It may be an to idea separate the Risk pod approval from the Exponent proposal. @SAS , @chriswong and @KD0x701137 from Groda Pod have already done work on real time monitoring (but monitoring stack is only known within the product team) so should review with them. Also, @pavel has raised an alternative battle-tested approach from Maker which seems worth considering if kicking off something incremental.
  • Cost basis: The proposed day rate of $833-1,250 compares with Groda Pod’s average FTE day rate of $467 ($486000 / 8 FTEs / (130 working days)) and the quoted range of $385-$615/day for the People Pod facilitator.
1 Like

Thanks for your comments. I will circle back with Joyce on modifying the proposal wrt Exponent. As for the daily rate. I think the values are about right as one is a part time/contractor role and the others are full time positions. Contractors generally get a larger daily rate. That said, how many days effort per month would you like to see out of this position?

I propose a budget change from:

To:
Budget breakdown (first six months): $100,000

  • 1 facilitator: 30,000 USDC over 6 months
  • Buffer (additional part-time contributors or services): $70,000] USDC over 6 months
1 Like