MCD Docs
MCD Docs
MCD Docs
MCD Docs
Introduction to the Maker Protocol
Getting Started
Maker Protocol 101
Maker Developer Guides
Developer Guides and Tutorials
Smart Contract Modules
Core Module
Collateral Module
Dai Module
System Stabilizer Module
Oracle Module
MKR Module
Governance Module
Spell - Detailed Documentation
Pause - Detailed Documentation
Chief - Detailed Documentation
Rates Module
Proxy Module
Emergency Shutdown Module
Maker Protocol Emergency Shutdown
Migration
SCD <> MCD Migration
Upgrading to Multi-Collateral Dai Guide
Other MCD Documentation
MCD Glossaries
Smart Contract Annotations
Auctions
The Auctions of the Maker Protocol
Keepers
Auction Keepers
Market Maker Keepers
Cage Keeper
Simple Arbitrage Keeper
Command-line Interfaces
Seth
Multi Collateral Dai (MCD) CLI
Dai and Collateral Redemption during Emergency Shutdown
Emergency Shutdown (ES) CLI
Building on top of the Maker Protocol
Dai.js Wiki
Pymaker
MCD Security
Security for the Maker Protocol
MCD Changelog
Multi-Collateral DAI Public Releases
Powered by GitBook

Governance Module

The Maker Protocol's Governance Contracts

1. Introduction (Summary)

The Governance Module contains the contracts that facilitate MKR voting, proposal execution, and voting security of the Maker Protocol.

2. Module Details

The Governance Module has 3 core components consisting of the Chief, Pause and Spell contracts.

Governance Module Components Documentation

3. Key Mechanism and Concepts

Summary of the Governance Module Components

  • Chief - The Ds-Chief smart contract provides a method to elect a "chief" contract via an approval voting system. This may be combined with another contract, such as DSAuthority, to elect a ruleset for a smart contract system.

  • Pause - The ds-pause is a delegatecall based proxy with an enforced delay. This allows authorized users to schedule function calls that can only be executed once a predetermined waiting period has elapsed. The configurable delay attribute sets the minimum wait time that will be used during the governance of the system.

  • Spell - A DS-Spell is an un-owned object that performs one action or series of atomic actions (multiple transactions) one time only. This can be thought of as a one-off DSProxy with no owner (no DSAuth mixing, it is not a DSThing).

4. Gotchas (Potential sources of user error)

  • Chief

    • In general, when we refer to the "chief", it can be both addresses or people that represent contracts. Thus, ds-chief can work well as a method for selecting code for execution just as well as it can for realizing political processes.

    • IOU Token: The purpose of the IOU token is to allow for the chaining of governance contracts. In other words, this allows you to have a number of DSChief, DSPrism, or other similar contracts use the same governance token by means of accepting the IOU token of the DSChief contract before it is a governance token.

    • Approval Voting: This type of voting is when each voter selects which candidates they approve of, with the top n "most approved" candidates being then elected. Each voter can cast up to n + k votes, where k equals some non-zero positive integer. Read more here.

    • Implementations: If you are writing a front-end UI for this smart contract, please note that the address[] parameters that are passed to the etch and vote functions must be byte-ordered sets. Read more here.

  • Pause

    • Identity & Trust: In order to protect the internal storage of the pause from malicious writes during plan execution, a delegatecall operation is performed in a separate contract with an isolated storage context (DSPauseProxy), where each pause has its own individual proxy. This means that plans are executed with the identity of the proxy. Thus when integrating the pause into some auth scheme, you will want to trust the pause's proxy and not the pause itself.

  • Spell

    • The spell is only marked as "done" if the CALL it makes succeeds, meaning it did not end in an exceptional condition and it did not revert. Conversely, contracts that use return values instead of exceptions to signal errors could be successfully called without having the effect you might desire. "Approving" spells to take action on a system after the spell is deployed generally requires the system to use exception-based error handling to avoid griefing.

5. Failure Modes (Bounds on Operating Conditions & External Risk Factors)

  • Chief

    • MKR users moving their votes from one spell to another: One of the biggest potential failure modes occurs when people are moving their votes from one spell to another. This opens up a gap/period of time when only a small amount of MKR is needed to lift a random hat.

  • Pause

    • There is no way to bypass the delay.

    • The code executed by the delegatecall cannot directly modify storage on the pause.

    • The pause will always retain ownership of it's proxy.

    • Read more here.

  • Spell

    • The main failure mode of the spell arises when there is an instance of the spell remaining uncast when it has an amount of MKR voting for it that later becomes a target.

Smart Contract Modules - Previous
MKR Module
Next
Spell - Detailed Documentation
Last updated 2 months ago
Contents
1. Introduction (Summary)
2. Module Details
Governance Module Components Documentation
3. Key Mechanism and Concepts
4. Gotchas (Potential sources of user error)
5. Failure Modes (Bounds on Operating Conditions & External Risk Factors)