Boom DAO minting proposal 653

Intro

During recent events in the Boom DAO SNS, there was a critical proposal 653 for minting SNS tokens which was executed almost immediately, triggered by only 2 neurons that voted.

This raised some concerns in the community that there could be a technical bug in the SNS framework.

In this post, we refute this hypothesis. The fact that only 2 neurons could vote is
a consequence of a sequence of proposals that changed the SNS parameters. In addition to laying out the facts, we also draw some learnings.

How could it be that 2 neurons got 100% of the voting power?

Each SNS DAO can customize the detailed governance rules and tokenomics in the nervous system parameters (learn more here).

One parameter relevant for this case is called neuron_minimum_dissolve_delay_to_vote_seconds and defines the minimum dissolve delay (i.e., staking period) that neurons need to be eligible to participate in voting. When a proposal is submitted, the governance takes a snapshot of which neurons have a dissolve delay that is no less than this value and those are the neurons that can vote on the proposal.

The following plot shows all recent Boom DAO proposals that changed nervous system parameters and what they set the minimum dissolve delay to. Note that the execution time (the right end of each proposal) is relevant to understand which value the minimum dissolve delay had at each point in time.

1600×577 80.9 KB

Let’s zoom in a little bit to the time when proposal 653 was adopted.

978×1158 64.5 KB

We can draw the following conclusions from the data.

• There were only 2 eligible neurons on the minting proposal (653) because all other neurons had a dissolve delay below neuron_minimum_dissolve_delay_to_vote_seconds at the time when proposal 653 was created. Therefore, these 2 neurons comprised 100% of the eligible voting power and could adopt the proposal quickly.
• The value of neuron_minimum_dissolve_delay_to_vote_seconds had been dramatically increased from 48 hours to over 54 years by proposal 617 (shown by the red line)
• Proposal 617 was inside a stream of many proposals setting the neuron_minimum_dissolve_delay_to_vote_seconds to 48 hours.
  • In particular, proposal 620 (shown in purple) was the first of those to be executed after 617, resetting neuron_minimum_dissolve_delay_to_vote_seconds from 54 years back to 48 hours.
  • The window during which neuron_minimum_dissolve_delay_to_vote_seconds was very high (54 years) was just over 20 minutes (as shown by the arrows), but that was enough for the two neurons to set their dissolve delay to 83 years and be the only eligible neurons during this period.
  • All other neurons (apart from these two) could have participated and potentially voted against the minting proposal 653 if they also increased their dissolve delay to a value over 54 years after the execution of proposal 617 and before the creation of the minting proposal 653 - thus within a very short time frame.

Takeaways

Proposal 653 was not adopted due to a technical bug in the code, but due to a series of proposals with arguably confusing or unexpected effects for some users. For this reason, we conclude with two takeaways.

• To make it harder to change nervous system parameters in the future, the NNS released a new SNS governance version that makes the topic “DAO community settings” that includes changes to the parameters critical (forum post, proposal). This means that going forward a proposal to change the parameters can only be adopted under stricter conditions (see documentation for the detailed rules for critical proposals).
  • In the Boom DAO case, if proposal 617 were critical it would not have been approved (the condition that ⅔ of the cast votes are in favor was not met as there were 36.8% yes and 30% no votes of the overall voting power).
  • In general, it is always possible that few parties get a majority of the voting power by buying enough tokens if there are enough SNS DAO members willing to sell their tokens. Making proposals critical does not prevent this - it merely shifts the line of how much voting power is needed to dominate voting in the given topic.
• In a lot of the voting frontends it is hard for human voters to read the proposals that change the SNS parameters and spot the exact change of each proposal. We plan to look into updating the NNS dapp to
  • Make it more visible which parameter would be changed in a given proposal.
  • Make the parameters easier to read (e.g., not only show the dissolve delay in seconds, but in a more readable format).

Great, now explain how ICP / NNS is not susceptible to the same issue as this as well as same issue that riddles traditional tech stack: xz exploit - Brave Search

Technical bug or design flaw?
Technically its no different to xz exploit - Brave Search. It was passed and “voted on to be pushed”. Tell me Im wrong.

Just wondering, why frontend updates are not 67%? Couldn’t I just code to use that sns library to have you vote yes provided you’ve got the hotkey on neuron?

Like say a whale has his OpenChat hotkey on his neuron and a malicious frontend upgrade goes through doesn’t that pose the same risk?

Perhaps if…

ALL PROPOSALS were displayed in

PLAIN LEGIBLE ENGLISH THAT ANYONE CAN READ AND NOT BURIED IN BARELY LEGIBLE JSON IN THE DASHBOARD.

That might be a good improvement.

Excellent detective work, well done guys, how many PHDs did it take to figure that out?

Hopefully @Leadership will stand with their retail investors and vote correctly on NNS proposal to remove this from the SNS.

It sounds that it does not solve the risk of a team rugging? I never knew the SNS parameters can be changed. Why is that possible anyway?
Is it not possible to have fixed SNS parameters pre SNS launch, community reviews it and then the team can submit the proposal if green lit. Teams being able to change the parameters still sounds risky and it only takes a few bad apples to do so…

Glad to see that there will be something done. all proposals that propose to change parameters should be scrutinized and in light of what we have seen with BOOM DAO then it should surely be possible to even flag a proposal as suspect where certain parameters being changed could mean nefarious actors can game the system - i.e. rug it.

Surprised this was never in the SNS\NNS from the start.

This is a stain on ICP. Investors will surely go elsewhere if you don’t punish these bad actors. OG supporters have had enough!

@lara Since it was DFINITY that setup these SNS parameters making the foundation partially responsible for these malicious proposals, how about you guys own it and create a fund for refunding investors impacted by these events that still hold neurons with staked tokens?

A good design highlighting critical parameters and warning signs would always help.
What is this json proposal? It could improve a lot.

Stop Blaming Dfinity for malicious players - instead ask what specific changes should be made

Because wenzel Leo and Enzo had nothing to do with boom dao doing that lol.

Hah, yeah sure. They’re in the telegram group doing damage control.

Why do you think this was hastily coded?

Let the record show:

image984×501 28.2 KB

image979×769 42.3 KB

Is this to remove boom dao?

The motion proposal stated that the newly minted tokens were dumped on icpswap which is incorrect. They staked all new tokens. The only tokens they did sell were from a treasury transfer and not newly minted tokens.

image1542×777 72.9 KB

image1466×607 53.3 KB

And tokens sent to a canister still hold the 1 million tokens from this mint event.

image1472×682 45.1 KB

Other than that I wonder why dfinity voted to reject this as well as CO.Delta and D-Quorum. (Im not asking about code gov as adam has stated his theory for it.)

We’re on the same page.

I didnt make the proposal. My assumption was that the dev team is just holding the tokens to prevent any more attempt at a takeover. But I didn’t speculate about this.

I think it is important to acknowledge that the newly minted tokens were staked and not dumped as previously speculated.

They didn’t extract value from thin air but they did take value from the dao treasury. What they did is still wrong and I do not support daos acting that way. I just think the facts matter in situations like this.

Your little group decided you wanted to extract as much value as possible. @wpb and frame me for it. I absolutely love how this worked out.

Synapse, CodeGov, BoomDAO scammers - you’re done.

You have made NOTHING that is decentralised. It’s all value extraction dressed up as decentralisation theatre.