Guardrails
The initial EigenLayer safety design optimizes for two primary goals:
- First, in the interest of decentralization and platform credibility, EigenLabs will hand over control over contract upgradeability and slashing to a “Community Multisig” (members TBD). While EigenLabs may propose upgrades, only this external multisig may approve upgrades.
- Second, in the interest of extreme caution and protection of user funds, governance is designed to be able to respond quickly to emergencies. For example, the protocol enforces delays on all withdrawals, and empowers a “Safety Multisig” to pause functionality as deemed necessary.
For the testnet, the EigenLabs team is operating both the Community Multisig and the Safety Multisig. They are implemented as the below:
- Parameters: 2-of-3 Gnosis Safe, transitioning to a higher threshold and number of signers over time
- Goerli Contract Address: 0x37bAFb55BC02056c5fD891DFa503ee84a97d89bF
- Membership: 3 members of the EigenLabs team
- Parameters: 2-of-3 Gnosis Safe, transitioning to a higher threshold and number of signers over time
- Goerli Contract Address: 0x040353E9d057689b77DF275c07FFe1A46b98a4a6
- Membership: 3 members of the EigenLabs team
These parameters are purely for testing during the testnet phase. We do not expect them to (necessarily) remain as such in the future, including during mainnet launch.
The table below shows the specific contracts and functions that each multisig can pause or unpause in governing the protocol.
Ability | Can Pause | Can Unpause |
Deposits of staked ETH | Safety | Community |
Withdrawals of staked ETH | Safety | Community |
Operator opting into slashing | Safety | Community |
Module confirming operator | Safety | Community |
Freezing of stake, for review prior to slashing | Safety | Community |
New delegations of stake to operators | Safety | Community |
Deploying new EigenPods to restake solo-staked ETH | Safety | Community |
Withdrawals of restaked solo-staked ETH | Safety | Community |
Verification of withdrawal credentials | Safety | Community |
Verification of slashed stake | Safety | Community |
Verification of unstaked ETH | Safety | Community |
In addition to the pause/unpause abilities above, the Safety multisig also has the ability to add or remove tokens allowed for restaking. The Community multisig also has the power to: Slash frozen assets; change the BeaconChainOracle address; and, upgrade the EigenLayer contracts.
These multisigs represent a rudimentary but working system of guardrails, with appropriate checks and balances. As the protocol continues to develop, this system will evolve and improve.
Last modified 2mo ago