[Proposal][#Voting Period] Signaling Proposal - Claw back unvested funds from Proposal 104

In Proposal 104, which was approved on 1 March 2023, Notional has been granted 120,000 ATOM for 365/24/7 monitoring of the Cosmohub regarding security vulnerabilities. The exact on-chain proposal can be foundhere

The funds granted in the proposal have been used to create a vesting account. At the time of this proposal, there are approximately 120,000 ATOMs left in the wallet, with a current value of $1,100,000.

Of these 120.000 ATOM, 90.000 ATOM are still locked and vesting.This proposal only refers to the vesting coins remaining in the wallet at the time of the clawback. Coins that have already been paid to Notional are not part of this clawback.

The wallet with the vested funds is cosmos145hytrc49m0hn6fphp8d5h4xspwkawcuzmx498

In the past few days, Notional has undergone a separation. 16 of the developers, and therefore most likely all developers, have left the company in a dispute with the company management. Currently, there appears to be a legal dispute over the handover of the cryptographic keys and the transfer of company shares. This is all being shared on social media, which is currently ending in a real mud fight.

An explanation of the devs who have left Notional can be found here:

As a result, it is currently virtually impossible for Notional to fulfil its requirements within the scope of the services granted in 104. Furthermore, it is doubtful that Notional will be able to fulfil its obligations in the near future given the current adversities. The loss of 16 developers in such a short period of time is hardly manageable, even without legal disputes.

Jacob, Notional’s CEO, has repeatedly affirmed that Notional is in a position to fulfil its obligations. However, there is no evidence of this other than the statement. The news that the last 3 developers have also left the company means, in my opinion, that there are simply no resources left within the company to realise proposal 104.

In addition to that, this proposal involves time-critical and confidential issues that must be resolved clearly and promptly. These cannot be left to a company that is more concerned with itself than with others.

Proposal 104 states: "If the community feels displeased with Notional’s work, they should create a governance proposal to claw back the unvested portion.

In light of the current situation, I hereby request that the money be returned to the community pool. As this is only possible through a software update, this is a signalling proposal to see if this demand finds a majority within the community.

It should also be noted that 3 out of 5 people from the multisig are no longer part of the company. This means that even if Notional were to continue the security assignment. A new Multisig account must be created for security reasons.

What does each vote mean?

YES - I think that the money Notional has received should be returned to the CP.

NO - I believe that Notional should continue to be responsible for maintaining the security of the Cosmos Hub

NO WITH VETO - This proposal is spam or damages the integrity of the Cosmos hub

ABSTAIN - I don’t want to decide, but would like to contribute to reaching the quorum

Edit 1: Added the part about the multisig. 3 out of 5 members have left the company
Edit 2: Clarified that only unvested coins are affected
Edit 3: Clarified that only unvested coins are affected in the title.

An additional note. There is no proposal to claw back funds from a vested account. Therefore this proposal would require a coordinated update by all validators.

My open questions would be. Who would be able to create such update and coordinate the update?

I think this open question doesn’t prevent this proposal from being posted as this should check the community sentiment.

Also, to note here, 3/5 of the multisig that controls the vested funds have left Notional.

The remaining 2 are Litbit and Jacob.

Also, to note here, 3/5 of the multisig that controls the vested funds have left Notional.

The remaining 2 are Litbit and Jacob.

I just figured that out too. This means we need an upgrade no matter what…

@ctrl-Felix, could you update the wording to ensure the community is clawing back the UNVESTED amount? We don’t want any confusion around what is being clawed back.

Notional owns the vested amount (will probably need to go to a new multisig). The community can claw back any unvested tokens.

I think there’s an open question here. The 120k are vested, do these belong to Notional? Because I was referencing to the vested tokens

Because Notional states that the community can claw back these. And for the unvested tokens. How would that even work?

@Rarma

Assuming the wording is normal vesting-type agreements.
Begins at date x and each block y amount becomes available.

So if it began 03/2023 and we’ve vested 9 months of 36 months, then ~30k of the 120k ATOMs should be owned by National?

I might be confusing the wording with regard to vested/unvested. I want to avoid a Juno Whale situation

Got it. I mixed up the terms of vesting. I totally agree with the point you are making and I will make the edit.

Before making a software upgrade proposal, can we try and see if making a signaling proposal and demanding a return to community pool will work. Most likely if such a signalling proposal passes, IMO multisig members would be willing to comply given the wording of the Prop 104

This is actually a signaling proposal. I will add that to the title to make it clearer. It is written in the last paragraph.

However, the funds are vested. Even if the multisig members want they won’t be able to send the funds back to the community pool.

@Ghazni_Stakecito

Disagree with this, we just need notional team to provide a new wallet for the vested funds to address the issues of departing signers.

There was never an implication of headcount for notional to maintain for the purpose of the proposal. Unless there is evidence of Notional failing to fulfill their duties, this proposal is extremely premature. If nobody can provide the evidence to justify a claw back, there is no justification to proceed with this besides speculation.

Strongly disagree.

Do you not remember prop 16 and the fate that brought Juno?

Agree with @luisqa - until it’s shown that they cannot perform the duties agreed upon in the proposal, no clawback should be taken seriously.

Will veto any vote that forces a clawback of funds.

I think the appropiate thing to do is clawback the funds and then have notional or a successor prop.

We should develop a new account type with native clawbacks.

Comparisons to prop 16 are inappropriate. The community fund proposal contemplates a clawback for dispute resolution and this seems to be required in this setting.

@Tricky I get the point. But the proposal states out that the funds can be clawed back by the community. So this is not some loophole we are trying to find.

By the way, the following link is the one shared in the proposal where notional tracks their work:

Their last commit to the gaia repo was 1 year ago: lint tests, too by faddat · Pull Request #1960 · cosmos/gaia · GitHub

And it was about linting tests.

Passing a signaling proposal is wise since there are multiple ways of clawing back the funds, including updates, new code, or even social agreements.

Including my previous comment on another draft proposal in the forum of why Proposal 104 needs urgent intervention:

This proposal must pass after recent events have highlighted Notional’s inability to adequately provide the services they claim to offer in Proposal 104. Thus far, they have utilized the loosely defined work in the proposal to bully others and threaten, harass, ridicule, and intimidate users and developers in the Cosmos ecosystem.

Over the past week, the primary recipient of Proposal 104 engaged in bullying behavior with his departing employees in public, demonstrating his inability to handle a sensitive issue with the correct decorum. Additionally, the members that departed Notional represent parties in Proposal 104 today and a significant portion of resources tasked to do the work.

If a genuine issue affects the Hub in a way that would require Proposal 104’s duties, ask yourself how you think Notional would respond. With professionalism? With competent engineering and support? With tactical communications that minimize risk for all participants in the Cosmos Hub? With respect for users, teams, validators, and developers? Countless forum posts and X threads highlight existing unprofessionalism and inexperience.

Furthermore, Notional Ventures publicly lost control of their private keys this week, forcing them to halt their validator operations. Unsafe key storage and generation outside of an HSM or, at a minimum, not using an MPC scheme to limit key theft go against accepted best practices that most high-quality validators currently employ, proving a lack of care for security in his organization. This event is a severe breach of security and cannot simply be shrugged off in the way it has been so far.

Additionally, the servicer of Proposal 104 demonstrated a lack of diligence and understanding of how the core stack works, evidenced by haphazardly raising a proposal without proper testing or knowledge of existing parameters set in the Cosmos Hub, resulting in the opposite effect of the intent of the discussion. See the forum topic named Increase Maximum Block Size to 1MB for details here.

Returning the value of the remaining ATOM in Proposal 104 to the community fund would be more impactful to the Hub than inaction here today. Before any new security spending is approved, a proper governance discussion must occur, resulting in a detailed security roadmap with deliverables and clear success metrics to ensure this does not happen again and protect the Hub’s funds from being pillaged.

I had created an issue on cosmos-sdk to introduce this feature via gov voting

Tough charges here

Seems appropriate, and would be curious to hear an official statement from both teams that will be affected: It’s unclear what is Notional right now, is it the management, or the engineering teams? Seems like the former, since the engineering team have a new company and name. Though both teams are equally affected.

Good point, but the Atoms are locked in a vested account, so not sure how would social agreement or other types (aside from software update) of approaches work?

This is a very important iteml.

The primary upstream of the hub is other repos.

Frankly, security issues on the hub tend to come from other places due to the relative simplicity of the hub’s code, so I would encourage you to have a look at the following repositories, which I do believe are covered under 104 provided that the work done relates to the hub

• GitHub - cosmos/ibc-go: Inter-Blockchain Communication Protocol (IBC) implementation in Golang.
  • Version 8
• GitHub - cosmos/interchain-security: Replicated security (aka interchain security V1) is an open sourced IBC application which allows cosmos blockchains to lease their proof-of-stake security to one another.
  • I clean it up and watch it and suggest things tho the main this is watching for security issues
• GitHub - notional-labs/spammy: load testing tools for cosmos networks
  • Comprehensive test framework for the problem known as P2P storms

A number of other people had asked about what our capability is to deliver on this and I also believe I have a pretty decent answer for that – basically I believe that we are quite well equipped to deliver on the project. The work itself was never handed out to a particular person in our organization, the people mentioned are the signers. For engineers and we plan to continue to do that.

I believe that Vinh will be able to rapidly assemble an excellent team for this task.

Maybe the final thing that we should try to accomplish in upcoming weeks or months is just to create sort of a performance and issues dashboard.

All in all, my Frank’s self-assessment of our work here is that it’s actually been very good and a very good value for the hub. I understand that some people in the community don’t feel that way and I respect them. So I guess what I’d like to see over the coming weeks is a good conversation about that and another thing that might really be worth discussing is the reality that 104 is not really a coding work contract but because I believe that it’s really vital to the hub to get it on the latest cosmos SDK, I approached a lot of 104 as a coding contract.