Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add eip-zodiac #5005

Merged
merged 17 commits into from
May 28, 2022
Merged

add eip-zodiac #5005

Changes from 3 commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
4e78db4
add eip-zodiac
auryn-macmillan Apr 14, 2022
ef0721a
Add security considerations and some minor fixes
auryn-macmillan Apr 19, 2022
72560c2
Add ETHMagicians discussion link
auryn-macmillan Apr 19, 2022
5f63787
Update EIPS/eip-zodiac.md
auryn-macmillan May 5, 2022
b3a9056
Update EIPS/eip-zodiac.md
auryn-macmillan May 5, 2022
7cd9eac
Update EIPS/eip-zodiac.md
auryn-macmillan May 5, 2022
2f23be7
Update EIPS/eip-zodiac.md
auryn-macmillan May 5, 2022
17e0ea7
Remove external links to Zodiac & external imports
auryn-macmillan May 5, 2022
3ecd82f
Rename EIP file to add ERC number
auryn-macmillan May 5, 2022
290f074
Update EIPS/eip-5005.md
auryn-macmillan May 13, 2022
42fd618
Update EIPS/eip-5005.md
auryn-macmillan May 23, 2022
abec040
Update EIPS/eip-5005.md
auryn-macmillan May 23, 2022
892341d
Remove external links
auryn-macmillan May 23, 2022
c095b78
Fix gramma
auryn-macmillan May 23, 2022
8c8e060
Small sentance structure fix
auryn-macmillan May 23, 2022
de1b7fa
Remove license and external links
auryn-macmillan May 23, 2022
91e5fa5
Update EIPS/eip-5005.md
MicahZoltu May 28, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
176 changes: 176 additions & 0 deletions EIPS/eip-zodiac.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,176 @@
---
eip: <to be assigned>
auryn-macmillan marked this conversation as resolved.
Show resolved Hide resolved
title: Zodiac
description: A composable design philosophy for DAOs.
author: Auryn Macmillan (@auryn-macmillan), Kei Kreutler (@keikreutler)
discussions-to: https://ethereum-magicians.org/t/eip-zodiac-a-composable-design-philosophy-for-daos/8963
status: Draft
type: Standards Track
category (*only required for Standards Track): ERC
auryn-macmillan marked this conversation as resolved.
Show resolved Hide resolved
created: 2022-04-14
auryn-macmillan marked this conversation as resolved.
Show resolved Hide resolved
requires (*optional): ERC-165
auryn-macmillan marked this conversation as resolved.
Show resolved Hide resolved
---

## Abstract
[Zodiac](https://github.com/gnosis/zodiac) is a philosophy and open standard for composable and interoperable DAO tooling. The key insight is that by separating account (thing that holds tokens, controls systems, and is referenced by others) from the logic that controls it, and making the account agnostic to the logic that controls it, we can create a DAO ecosystem that is much more composable and interoperable, along with being compatible with the vast majority of existing DAO tooling. In short, [Zodiac](https://github.com/gnosis/zodiac) encourages DAOs to use an "avatar" contract (like the Gnosis Safe) as their account, and to then control that avatar with just about any combination of DAO tools and frameworks (Aragon, Colony, Compound/OZ Governor, DAOStack, Moloch, Orca, Tribute, etc).

## Motivation
Currently, most DAO tools and frameworks are built as somewhat monolithic systems. Wherein account and control logic are coupled, either in the same contract or in a tightly bound system of contracts. This needlessly inhibits the future flexibility of organizations using these tools and encourages platform lock-in via extraordinarily high switching costs.

By using the [Zodiac](https://github.com/gnosis/zodiac) standard to decouple account and control logic, organizations are able to:
1. Enable flexible, module-based control of programmable accounts
2. Easily switch between frameworks without unnecessary overhead.
3. Enable multiple control mechanism in parallel.
4. Enable cross-chain / cross-layer governance.
5. Progressively decentralize their governance as their project and community matures.

## Specification
The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in RFC 2119.

The [Zodiac](https://github.com/gnosis/zodiac) standard consists of four key concepts Avatars, Modules, Modifiers, and Guards:
1. **Avatars** are programmable Ethereum accounts, like the [Gnosis Safe](https://gnosis-safe.io). Avatars are the address that holds balances, owns systems, executes transaction, is referenced externally, and ultimately represents your DAO. Avatars MUST expose the `IAvatar` interface.
2. **Modules** are contracts enabled by an Avatar that implement some control logic.
3. **Modifiers** are contracts that sit between Modules and Avatars to modify the Module's behavior. For example, they might enforce a delay on all functions a Module attempts to execute or limit the scope of transactions that can be initiated by the module. Modifiers MUST expose the `IAvatar` interface.
4. **Guards** are contracts that can be enabled on Modules or Modifiers and implement pre- or post-checks on each transaction that the Module or Modifier they are enabled on executes. This allows Avatars to do things like limit the scope of addresses and functions that a Module or Modifier can call or ensure a certain state is never changed by a Module or Modifier. Guards should expose the `IGuard` interface. Modules, Modifiers, and Avatars that wish to be guardable MUST inherit `Guardable`, MUST call `checkTransaction()` before triggering execution on their target, and MUST call `checkAfterExecution()` after execution is complete.
auryn-macmillan marked this conversation as resolved.
Show resolved Hide resolved

```solidity
/// @title Zodiac Avatar - A contract that manages modules that can execute transactions via this contract.

pragma solidity >=0.7.0 <0.9.0;

import "@gnosis.pm/safe-contracts/contracts/common/Enum.sol";
auryn-macmillan marked this conversation as resolved.
Show resolved Hide resolved


interface IAvatar {
/// @dev Enables a module on the avatar.
/// @notice Can only be called by the avatar.
/// @notice Modules should be stored as a linked list.
/// @notice Must emit EnabledModule(address module) if successful.
/// @param module Module to be enabled.
function enableModule(address module) external;

/// @dev Disables a module on the avatar.
/// @notice Can only be called by the avatar.
/// @notice Must emit DisabledModule(address module) if successful.
/// @param prevModule Address that pointed to the module to be removed in the linked list
/// @param module Module to be removed.
function disableModule(address prevModule, address module) external;

/// @dev Allows a Module to execute a transaction.
/// @notice Can only be called by an enabled module.
/// @notice Must emit ExecutionFromModuleSuccess(address module) if successful.
/// @notice Must emit ExecutionFromModuleFailure(address module) if unsuccessful.
/// @param to Destination address of module transaction.
/// @param value Ether value of module transaction.
/// @param data Data payload of module transaction.
/// @param operation Operation type of module transaction: 0 == call, 1 == delegate call.
function execTransactionFromModule(
address to,
uint256 value,
bytes memory data,
Enum.Operation operation
auryn-macmillan marked this conversation as resolved.
Show resolved Hide resolved
) external returns (bool success);

/// @dev Allows a Module to execute a transaction and return data
/// @notice Can only be called by an enabled module.
/// @notice Must emit ExecutionFromModuleSuccess(address module) if successful.
/// @notice Must emit ExecutionFromModuleFailure(address module) if unsuccessful.
/// @param to Destination address of module transaction.
/// @param value Ether value of module transaction.
/// @param data Data payload of module transaction.
/// @param operation Operation type of module transaction: 0 == call, 1 == delegate call.
function execTransactionFromModuleReturnData(
address to,
uint256 value,
bytes memory data,
Enum.Operation operation
) external returns (bool success, bytes memory returnData);

/// @dev Returns if an module is enabled
/// @return True if the module is enabled
function isModuleEnabled(address module) external view returns (bool);

/// @dev Returns array of modules.
/// @param start Start of the page.
/// @param pageSize Maximum number of modules that should be returned.
/// @return array Array of modules.
/// @return next Start of the next page.
function getModulesPaginated(address start, uint256 pageSize)
external
view
returns (address[] memory array, address next);
}
```

```solidity
pragma solidity >=0.7.0 <0.9.0;

import "@gnosis.pm/safe-contracts/contracts/common/Enum.sol";

interface IGuard {
function checkTransaction(
address to,
uint256 value,
bytes memory data,
Enum.Operation operation,
uint256 safeTxGas,
uint256 baseGas,
uint256 gasPrice,
address gasToken,
address payable refundReceiver,
bytes memory signatures,
address msgSender
) external;

function checkAfterExecution(bytes32 txHash, bool success) external;
}

```

```solidity
pragma solidity >=0.7.0 <0.9.0;

import "@gnosis.pm/safe-contracts/contracts/common/Enum.sol";
import "@openzeppelin/contracts-upgradeable/access/OwnableUpgradeable.sol";
auryn-macmillan marked this conversation as resolved.
Show resolved Hide resolved
import "./BaseGuard.sol";

/// @title Guardable - A contract that manages fallback calls made to this contract
contract Guardable is OwnableUpgradeable {
address public guard;

event ChangedGuard(address guard);

/// `guard_` does not implement IERC165.
error NotIERC165Compliant(address guard_);

/// @dev Set a guard that checks transactions before execution.
/// @param _guard The address of the guard to be used or the 0 address to disable the guard.
function setGuard(address _guard) external onlyOwner {
if (_guard != address(0)) {
if (!BaseGuard(_guard).supportsInterface(type(IGuard).interfaceId))
revert NotIERC165Compliant(_guard);
}
guard = _guard;
emit ChangedGuard(guard);
}

function getGuard() external view returns (address _guard) {
return guard;
}
}
```

## Rationale
In designing the [Zodiac](https://github.com/gnosis/zodiac) standard, we inevitably needed to define a standard interface for modular programmable accounts (avatars). Rather than writing this from scratch, we elected to use the existing interfaces from the [Gnosis Safe's Module Manager](https://github.com/gnosis/safe-contracts/blob/main/contracts/base/ModuleManager.sol) and from the [Gnosis Safe's Guard Manager](https://github.com/gnosis/safe-contracts/blob/main/contracts/base/GuardManager.sol), since the Gnosis Safe is by far the most widely used programmable account for DAOs, other organizations, and individuals.

## Backwards Compatibility
No backward compatibility issues are introduced by this standard.

## Security Considerations
auryn-macmillan marked this conversation as resolved.
Show resolved Hide resolved
Zodiac primarily leverages the existing ModuleManager interface from the Gnosis Safe, which has been in running securely in production for several years. That said, there are some considerations that module developers and users should take into account.
1. **Modules have unilateral control:** Modules have unilateral control over any avatar on which they are enabled, so any module implementation should be treated as security critical and users should be vary cautious about enabling new modules. ONLY ENABLE MODULES THAT YOU TRUST WITH THE FULL VALUE OF THE AVATAR.
2. **Race conditions:** A given avatar may have any number of modules enabled, each with unilateral control over the safe. In such cases, there may be race conditions between different modules (and other control mechanisms, like the multisig mechanism on a Gnosis Safe).
3. **Don't brick your avatar:** Be warned, there are no safe guards to stop you adding or removing modules. If you remove all of the modules that let you control an avatar, the avatar will cease to function and all funds will be stuck.

## Copyright
Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).