The following is the second in Flywheel’s Frax 101 series which aims to provide the most comprehensive guide to the Frax protocol and how each of its stablecoins and subprotocols work. While in the first issue we looked at $FRAX the dollar-pegged stablecoin, in the second,  we review the history of Frax governance and introduce protocol’s newest module, frxGov.

Frax is undergoing significant changes to its governance structure in order to enhance decentralization and mitigate risks with the introduction of frxGov. By bringing governance fully on-chain and leaving the final arbiter of protocol actions to veFXS holders, the Frax Core Team has taken a vital step towards decentralization in an area has been a fiery touch point for detractors since launch.

At First, There Was A Multi-Sig

The multi-sig is a point of centralization for the protocol that brings certain risks to the DAO-at-large and, especially the Core Team members who operate it as of today. For those unfamiliar, a multi-sig is a smart contract wallet that requires a quorum in order approve transactions. Although they are much safer than your typically EOAs (Externally-Owned Accounts) Hypothetically, if authorities were to arrest enough members of the Core Team today, it could lead to a situation similar to OKX, where the international exchange was unable to process withdrawals for several months until CEO Star Xu was released from house arrest.

We’re going to go into detail about Curve governance with special shout out to the Llama Risk team for doing the research in their expansive article.

The multi-sig is a singular operator of onchain proposal and execution. While the Core Team has followed the will of veFXS holders since launch, in an adversarial environment this trust should be unwarranted. veFXS holders must be able to shut down unacceptable or rogue transactions created by malicious multi-sig signers. Without this power, the entire protocol is at risk, and this is why the Core Team has been working extremely hard to revise the governance module in 2023.

Currently, finalized draft proposals in the Frax ecosystem undergo a three-day discussion period, followed by a five-day off-chain voting period on Snapshot. Voting results are determined by a simple majority and a 7.2m veFXS quorum requirement. Additionally, Frax uses weighted voting, allowing veFXS holders to allocate their votes across multiple options.

Frax initially deployed a governance contract derived from Compound's governor alpha, utilizing FXS as the voting token. However, this on-chain voting engine has not been operational since December 2020, with the exception of setting the timelock address. There were unsuccessful attempts to update the contract's admin in early September. Consequently, there exists an implicit trust assumption in Frax governance, as veFXS voters must trust the core team to respect outcomes determined on Snapshot.

The Core Team also possesses complete control over the Frax’s assets. Currently, a 3 of 5 multisig, consisting of Sam Kazemian, Travis Moore, Jason Huan, and Justin Moore, and veFXS holders manages approximately $690 million of Frax assets. Drake Evans is planned to be added to the multi-sig once the new Gov module is launched. This multisig, along with a timelock contract, also holds administrative rights over other Frax contracts, including a wallet holding $524 million of Frax assets on Curve. In total, over $ billion is managed by the core team.

The Core Team is public and well known, which reduces the potential for collusion and theft. Currently, Sam, Travis, Drake and Justin are US citizens and residents, raising additional risks.

The multi-sig was a chosen as a first step in order to ensure the safety of the protocol in times of duress, especially early in its development. This configuration has enabled Core Team has been able to respond to several hacks quickly to withdraw protocol-owned liquidity from compromised contracts, saving tens of millions of dollars in the process. Yet at the end of the day, the multi-sig was always a stepping stone on the path towards decentralization and with the protocol now entering more mature stages, the time has come to bring governance truly on-chain.

Enter Frax Governance 2.0

Finding an equilibrium between speed and security is akin to sailing between Scylla and Charybdis. Reliance on just multi-sigs opens the protocol up to IRL compromise, while fully on-chain voting can lead to indecision or new attack vectors. When designing the new governance module, the Core Team wanted to retain the abilities to quickly act, while entrusting full power and accountability with veFXS holders.

The end result is Frax’s new governance system, comprised two governor contracts, Governor Alpha (GovAlpha) and Governor Omega (GovOmega). The idea is that GovAlpha has ultimate control over the entire system, but it requires a high quorum. GovOmega, on the other hand, uses low threshold voting for speed. It’s the daily driver for adjusting AMO’s.

Governor Alpha

Governor Alpha has master control over GovOmega parameters, and whitelisted Safe multi-sigs. The GovAlpha contract is directly controlled by veFXS votes and must reach a high quorum of 40% to change any parameters. Anyone is able to propose changes to veFXS, with a 5-day voting period. After a GovAlpha proposal is passed, it will then queue up in a 24hr timelock for execution.

One new function that’s being added for veFXS is the ability to delegate voting power to any address. As not everyone is able to closely follow all on-chain governance or access their private keys in a timely manner, they will be able to delegate to a trusted party to vote on their behalf.

GovAlpha will inherit all existing Frax contracts once it goes live.

Governor Omega

GovOmega is similar to the Alpha contract, however its powers are limited. It allows veFXS holders to act as a check and balance on Safe multi-sigs. veFXS has direct control over GovOmega and can sign or abort any multi-sig transaction with 4% quorum simple majority with a 2-day voting period.

GnosisSafe Multi-sig

As mentioned above, Frax currently employs a 3/5 Safe multi-sig for control of the protocol. This multi-sig will be retained with the new governance module, however, new smart contract processes will be placed above it to ensure the long term safety of the protocol. Potentially the X/Y number could be increased from 3/5 to accomodate new Frax Core Team members like Drake and others.

FraxGuard

FraxGuard is a contract that restricts Safe transaction execution to Safe owners and requires approval from GovOmega.

The contract takes the address of the GovOmega contract and sets it as an immutable variable. Every time the Safe multi-sig is about to execute a transaction, it verifies that the GovOmega is an owner of the Safe and it checks if the given transaction hash is approved. If either check fails, it reverts the transaction.

veFXS Emergency Powers

In case of an emergency, veFXS voters have the ability to “short circuit” or execute a transaction so long as they have greater than 51% of voting power. This bypasses both the 2 or 5 day cooldown for either governor contract.

As mentioned before, 51% voting power should be achievable in a short time as veFXS voters will be able to delegate their voting power. This trade off does potentially enable on-chain collusion by entities delegated with significant voting power. However, this must be the trade off to ensure the protocol has rapid execution powers.

What happens if there is an emergency and FRAX DAO has to act immediately?

If there in an emergency, veFXS holders can call “Short Circuit” if they have >51% of total veFXS voting power. These Short Circuit transactions will pass both the vote period and timelock requirements.

What happens if an entity gains more than 51% of veFXS voting power?

Sam K answered in TG chat:

If a single entity or a coordinated group of individuals have over the quorum required for Alpha, they have complete total control of everything including removing the msig signers, appointing themselves as signers, and doing quite literally everything possible in the protocol. However, they still can't steal FRAX or other collateral in such a case since there is a mandatory timelock on Alpha (without short circuit or exceptions). So in a scenario where a single entity or colluding group of entities have quorum for Alpha and remove the msig signers, add themselves as admins, then propose removing all AMO liquidity etc there is a multi-day delay for everyone to safely exit and redeem/sell their FRAX/frxETH etc without any issues.

Governance Process

Approval Transaction Flow

In the docs the following example flow was given:

1. A safe multi-signer initiates a transaction. This produces a transaction hash that identifies the action to be approved or rejected by the other multisig owners.
2. 3 of the 5 multi-signers sign the transaction.
3. After 3 signatures are collected, anyone can call GovOmega to begin on-chain governance. The team is incentivized to do so because they cannot execute any transactions without GovOmega’s approval.
4. veFXS voters have a 2-day window to vote on the proposal.
5. If no quorum is met during the voting window, or the proposal passes, anyone can call execute(). This calls safe.approveHash() inside GovOmega to allow it to be passed by FraxGuard.
6. If quorum is met and the proposal is rejected, anyone can all GovOmega to abort the transaction. This will cause GovOmega to sign a zero ETH Safe transaction with the same nonce. Safe owners can then sign the same transaction using the “replace transaction” functionality. Safe owners can then execute the zero ETH transfer, incrementing the nonce. The original transaction can never be executed, because there is no approval from GovOmega and the nonce has moved on, invalidating the original transaction.

Abort Transaction Flow

Additionally, the docs also provide a flow for aborting a transaction:

1. A multi-sig owner starts a rejection transaction.
2. 3 of the 5 multi-sig owners sign the rejection tx.
3. Anyone can call GovOmega to abort the transaction which immediately causes GovOmega to approve a zero ETH transfer on the underlying Safe with the provided nonce.
4. Safe Owners can now execute the approved transaction.
5. This increments the nonce, rendering the original tx and accompanying veto proposal useless.
6. If the original transaction was already put into GovOmega, the underlying proposal will be marked “Cancelled” so no one else can vote on it.

Conclusion

As the march towards decentralization moves forward for Frax Finance, reducing reliance on the multi-sig and bringing a real bite to the teeth of veFXS holders is paramount in the protocol’s lifespan. The more Frax grows into the tens and hundreds of billions of TVL, the bigger target it becomes for both state and non-state actors who may have malicious intent. frxGov strikes a nice equilibrium that fits Frax’s needs at the current moment with the ability to act unilaterally, bringing actions fully on-chain, and placing final power to where it was always destined to belong, to the faithful that hold veFXS. We will see how this governance structure performs in the wild but nonetheless, Frax will continue its mission of being the most decentralized and innovative stablecoin protocol on-chain, only now with the governance to match.