Improving security of contract owners

flashprofits.eth · January 17, 2022, 11:18pm

The owner of qrETH and most of the other Liqee contracts is currently set to 0x747c69fe70b70fb737486f85dd56c0822ed39d46. This contract is called “Timelock” and it is owned by 0x1477959bcb3b6782f278b798b4f80caf4cf252c6.

I see two main problems with this setup.

Most importantly, while it is called “Timelock”, there is no actual time delay before executing transactions.
The owner of the timelock is a single externally owned account.

Both of these issues reduce the amount of funds I am willing to deposit into Liqee. Even if you are completely honest and will never rug anyone, this is still a risky setup. Someone could hack you and steal funds. I know that this ownership is temporary until the DAO launches, but now that the DAO is delayed, we should address this now.

I propose that the current Timelock deployment be replaced by a more standard Timelock contract with at least a 24 hour lock on it. This will slow down your development slightly, but will be much more secure and require far less trust from the users.

I would also like the timelock be controlled by a multisig (like https://gnosis-safe.io/), but having a timelock in place is sufficient for me.

What do you think? I know the devs are busy with other plans and so I would be willing to do some of the work here. Liqee is the only place I can use my rETH and I’d really like to use Liqee more.

Cherish · January 18, 2022, 7:30am

We are glad to receive your sincere suggestions.

We totally understand your concern, but our new features are still under development which conflict with the timelock, and we currently haven’t found a good way to solve the problem. We will still try to list better plans to resolve the compatibility issues after the new features are launched.

Thanks for your understanding.

flashprofits.eth · January 18, 2022, 5:09pm

Sorry, but I don’t see how a single day delay to deploying of contracts that control everyone’s money is a major conflict. It’s just one day. You expect your development to take months, so a single day should barely matter.

Every person I’ve talked to is staying away from Liqee until the owner is secure. Given that there are a total of 4 borrowing accounts on Liqee (and I am two of them), it’s clear to me that this security issue is keeping everyone away.

Please reconsider.

Cherish · January 19, 2022, 6:41am

We will transfer the contract owner rights to the gnosis-safe multi-signature account.

This is already in plan, don’t worry.