| fip | title | author | discussions-to | status | type | category | created |
|---|---|---|---|---|---|---|---|
0085 |
Convert f090 Mining Reserve actor to a keyless account actor |
Jennifer Wang (@jennijuju), Jon Victor (@jnthnvctr) |
Final |
Technical |
Core |
2024-01-04 |
Covert f090 (FIL mining reserve) actor type from a multisig to an account that is keyless (like f099).
At the moment, the actor holding the FIL mining reserve is a multisig actor sitting at address f090. It has 3 signers and an approval threshold of 2. All three signers are secp256k1 account actors, secured by corresponding wallet keys. This setup leaves the ownership and control over the mining reserve funds to signers of the multisig actor, which undermines the decentralized governance principle over network funds, and creates potential security leaks.
This FIP proposes to alter the type of the FIL mining reserve actor from the aforementioned multisig to a keyless account actor, and further transfer the ownership, control and governance of the funds reserved from the signers of the multisig back to the network's participants via community governance.
As documented in the spec here, upon network launch, a pool of tokens was allocated as a Mining Reserve to support the maintenance of a robust Filecoin economy. It also mentions, "It will be up to the community to determine in the future how to distribute those tokens, through Filecoin improvement proposals (FIPs) or similar decentralized decision-making processes." It is worth noting that when the spec was written and when the network was first launched, the FIP process was not yet well-designed nor matured to support network governance, and significant improvements have been made since then.
At the moment, the actor holding the FIL mining reserve is f090, which is a multisig actor with 3 signers and an approval threshold of 2. All three signers are account actors, with wallet keys to those accounts. This means that 2 out of 3 individuals hold the keys to move funds and change the terms of f090. They can do so without a governance process or any protocol-level safeguards, which conflicts with the decentralized governance principle outlined in the spec. It further creates security concerns for the whole Filecoin network, in that a malicious actor that compromises 2 out of the 3 signer keys of f090 gains the ability to cause serious economic and reputational damage.
In addition, having the reserve held in a multisig also means the use of the reserve may need to be managed via signed transactions, creating significant operational overhead (and again deviating from the governance principle).
This proposal is simple: to convert the f090 actor type from a multisig to an account type (without any keys, like f099), so that any changes to the mining reserve must be proposed via the appropriate FIP and network upgrade processes.
Convert f090 actor type from a multisig to account type. The new account actor should be keyless, like f099.
pub struct State {
pub address: Address,
}The new f090 account actor will contain a self-reference to its ID address in the address field.
The choice of making f090 actor to be a keyless account type is to ensure that no single actor/entity owns the control over Filecoin mining reserves. The use of the mining reserves will be proposed and governed by the FIP process, and further adopted by the network via network upgrades.
This change is not backwards compatible. Upon the activation of this FIP in a network upgrade:
- the actor type of f090 will be migrated from multisig to account.
- the existing signers of the f090 multisig will no longer be able to perform operations on the actor
- Get actor cid of f090 should return actor code cid of an
account
This proposal improves the network security by removing the ownership and control of 15% of the total network token supply from 3 individuals and putting it under the control of network participants via the appropriate governance processes.
This proposal places governance of the reserved funds entirely in hands of the network participants rather than 3 key owners, thus providing greater transparency and assurance of community consultation and deliberation in appropriate future disbursement of the funds.
TODO
Copyright and related rights waived via CC0.