Introduction
Before participating in any DeFi protocol, it is a good idea to understand how it is governed. This includes how changes can be made to the main parts of the protocol. Although some may argue outlining how the different parts of the protocol are managed may cause a security issue, the fact of the matter is the information is all public due to the openness and transparency of decentralized applications.
General Architecture
To understand how governance works in the Trend Token ecosystem, you first need to understand the general architecture
Comptroller
The main purpose of the Comptroller and the admin keys that govern them is to restrict the behavior of each individual Trend Token portfolio in the ecosystem. In the future, there may be separate entities who are managing each Trend Token portfolio and would therefore reduce possible exploits to limit their activity, such as limiting performance fees to some level instead of allowing them to be 100% or even greater.
The Comptroller consists of 3 keys:
- Admin
- lockedWallet
- pauseGuardian
Each of which work together to add layers of security and reduce the impact if any one is lost or stolen.
Admin Keys
The admin keys are the most powerful keys in the Trend Token ecosystem. They can perform the following actions:
- Change Chainlink price oracle
- Change pauseGuardian
- Unpause state of protocol
- Support a new Trend Token
- Limit the actions of each Trend Token portfolio (e.g TREND5) including:
- Pause and unpause individual Trend Token portfolios
- The tokens that can be added to the portfolios
- Maximum threshold value to remove a token from the portfolio
- Pause and unpause trading
- Set maximum trading and performance fees
Risks and Mitigation
The admin keys being exploited would be a severe security breach with several attack vectors. The most critical being the Chainlink price oracle, as it can be manipulated to affect the Trend Token price.
To help mitigate risk, another set of keys called lockedWallet. More information below.
In the future, the admin keys will be governed by XTT holders to increase security and decentralization. The keys are currently in cold storage.
lockedWallet
The lockedWallet keys provide an extra layer of security in that they can lock the state of the Comptroller. Under this state, the admin keys cannot perform any changes. The state is locked by default which provides a great security step because an attacker would need to obtain both the lockedWallet and admin keys to make any changes to the Comptroller.
The lockedWallet has limited functionality:
- Set Comptroller to a locked or unlocked state
- Replace the lockedWallet address
Risks and Mitigation
Although the lockedWallet provides an excellent layer of security, it does come at a potential cost. If the keys are lost or compromised, the Comptroller may be stuck in a locked state, meaning that manager cannot perform further actions.
To help mitigate this risk, multiple sets of the lockedWallet keys of the could be held in different locations.
In the future, the lockedWallet keys could be governed by XTT holders who will vote on whether to lock or unlock the actions of the admin. Alternatively, the lockedWallet could be managed by other tokens such as Trend Tokens (e.g TREND5) to increase security as XTT and Trend Token holders would need to come to an agreement before changes are made.
pauseGuardian
The pauseGuardian can perform the following action:
- Pause all Trend Tokens (buy, sell, swap) - only admin can unpause
Risks and Mitigation
There is limited opportunity for these pauseGuardian controls to be exploited due to its limited actions. This fact allows the keys to be more readily available in case of an emergency.
An off-chan Alarm System constantly monitors the state of the Comptroller and each Trend portfolio so if any alarms are raised the pauseGuardian will automatically pause the state.
It is unlikely the pauseGuardian actions will be governed by XTT Holders.
Trend5 Portfolio
TREND5 is a Trend Token that has a portfolio of 5 top crypto assets. The value of the Trend Token reflects the performance of a dual-momentum trading system applied to its portfolio. As of October 2023 the portfolio for TREND5 is BTC, USDT, BNB, ETH, and BNB which may change in the future as coin popularities change.
Not every Trend Token portfolio in the future (e.g TREND10 - portfolio of top 10 assets) may behave in the same way as described below. Each additional Trend Token portfolio may have slightly different behavior if code modifications are necessary to optimize the new portfolio settings.
Manager Keys
Like the admin for the comptroller, the manager keys are powerful. The following changes can be made by the manager:
- Update key contracts:
- Trend Token Comptroller - limits actions of manager
- Dualpools Comptroller - allows for supplying assets to earn yield
- Incentive Model - calculates trade values and rebalance incentives
- Update key addresses:
- Manager - replace this managers address
- Fee Recipient - change where fees go
- Trading Bot - change wallet that changes desired allocations (more below)
- Change fees:
- Performance fee - limited by Trend Token Comptroller
- Trend Token Burn Rate - percentage of earned fees that get burned
- Referral Reward - percentage of earned fees that goes to referrer and referral
- Max values
- Max Disable Value - Largest value held by a token before it can be disabled
- Max Trend Token Supply - maximum amount of Trend Tokens that can be minted
- Collateral values
- Contract Factor - Amount of assets that can be held in Dualpools for yield
- Adjust Collateral - Manually adjust amount held in Dualpools for yield
- Redeem fees
- Redeem Performance Fees - Mints Trend Tokens and holds in reserves
- Reduce Trend Token Reserves - Sends earned fees in reserves to fee recipient
- Redeem XDP - Sends earned XDP from Dualpools rewards to fee recipient
The Comptroller sets limitations on many of the above actions, such as the maximum amount of fees the Trend Token portfolio may have.
Each Trend Token portfolio has a unique manager who controls the above actions. In the future, there will be votes with the XTT token on what actions the manager should control for future Trend Token portfolio issuances.
For example, the manager can currently change the key contracts TREND5 can interact with. Although this provides great flexibility for future improvements, it also runs the risk of a malicious manager changing these contracts to manipulate the protocol for his or her self interest. It may be agreed upon by XTT token holders to keep these contracts fixed from the moment that Trend Token portfolio was issued to the public.
These include the Trend Token Comptroller which limits the actions of the Trend Token portfolio manager. The Dualpools Comptroller which allows the protocol to supply funds to the Dualpools third party contracts. contains the logic for swapping, and buying or selling Trend Tokens.
The manager keys may even be controlled 100% by the Trend Token holders. For example, TREND5 token holders may agree to reduce the swap fee from 0.15% to 0.10% for the TREND5 portfolio.
tradingBot Keys
The tradingBot keys have much less power than the manager keys. This is by design as they need to be readily available to make desired changes. The changes are as follows:
- Pause Deposits - only pauses buying Trend Tokens
- Pause Trend Token - pauses buy, sell, or swap with the Trend Token contract
- Unlock State - locks/unlocks to give permission to manager to make any changes
- Set Desired Allocations - sets the desired percentage of assets each token should have
- Enable or Disable Tokens - adds or removes tokens from the portfolio
The Comptroller sets limitations on many of the above actions, such as the available tokens to enable or under what conditions a token may be disabled.
These keys are held by the off-chain trading bot and give it quick access to update the desired allocations of the tokens in the Trend Token portfolio. This is necessary to ensure that target allocations of each token in the portfolio adapt to changing market conditions.
Emergency Procedure
If any of the keys above are lost or compromised, it could be a mild to severe issue. Below is a general procedure if any of the governance keys are stolen or lost, as well as the potential consequences. The procedure is not comprehensive and may be updated at any time, such as when we move to a decentralized governance model with XTT and or individual Trend Token holder votes.
Comptroller
admin Keys
Stolen
The lockedWallet would have had the state in locked mode by default, meaning the attacker would not be able to perform any actions if the admin keys were stolen unless the attacker also obtained the lockedWallet keys. If the admin wallet was compromised, the lockedWallet would unlock the state of the protocol and change the address of the admin, then lock the state again.
Lost
Nothing can be done. The Comptroller will remain in the state it was left in. For example, no new Trend Token portfolios or tokens for which the Trend Token may add to their portfolios will be added. The admin cannot change because the only wallet that has the ability is the admin itself.
lockedWallet Keys
Stolen
The attacker would be able to unlock or lock the state of the protocol indefinitely. Meaning the admin may not be able to make any future changes if the attacker chooses to keep that state locked. The admin cannot change the address of the lockedWallet address.
Lost
The locked state would remain in the same state it was left in when they were lost. Likely in the default locked mode.
pauseGuardian
Stolen
The attacker would only be able to pause the state of the protocol. The admin would simply unpause and change the address of the pauseGuardian to regain full control.
Lost
The admin would unpause and change the address of the pauseGuardian.
TREND5 portfolio
manager
Stolen
The state of the Trend Token portfolio is locked by default, meaning the manager would not be able to make any changes until the tradingBot unlocks it. Therefore, if an attacker gained control of the manager keys they would not be able to make any actions. All in one transaction, the tradingBot would unlock the state of the protocol and a set of backup manager keys would change the address of the manager, then the tradingBot would lock the state again.
Lost
Nothing can be done. The TREND5 portfolio will remain in the state it was left in. For example, no new key address or fee changes could be made.
tradingBot
Stolen
The Comptroller has parameters in place to limit the actions the tradingBot can perform. This helps protect the funds in the Trend Token portfolio from being drained if the tradingBot keys were compromised. If the tradingBot keys were compromised the admin for the Comptroller will pause the state of the Trend Token immediately. A set of backup keys could be used to change the tradingBot address.
Lost
If the state of the contract was locked when the tradingBot keys were locked, then the state will remain locked indefinitely. The manager would be unable to make any changes. The Trend Token would be unable to make any desired allocation changes but users can still redeem their Trend Tokens and use a replacement Trend Token portfolio that can be actively managed by a set of tradingBot keys.
Summary
The Comptroller admin and each Trend Token's manager keys are highly sensitive. The goal is to have their actions governed by a decentralized vote based on XTT and potentially Trend Token token holders. But for now, they are held in cold storage. The Comptroller’s lockedWallet provides an extra layer of security and is also held in cold storage and only used when the admin needs to make approved changes.
The Comptroller pauseGuardian and Trend Token’s tradingBot are still sensitive, but much less so than the admin and manager. This provides an advantage as they can be more readily available and make changes programmatically off-chain as needed. Backup keys are kept in cold storage in case the hot storage keys are compromised or lost.
Although summarizing the governance and potential sources of attack may bring attention to it and may result in attempts by malicious actors. The fact of the matter is the cold storage keys are safe in cold storage and once the Trend Token ecosystem gains a moderate following, the actions of the more sensitive admin and manager keys will be governed by XTT tokens holders which would require a malicious action to acquire a large share of XTT tokens to make changes.