Apologies for chiming in late here. I unfortunaly haven’t seen this BIP in time to challenge it before it went to a vote.
After recent incidents with multisigs (like Radiant’s) multiple people in the Balancer ecosystem got worried about the governance multisig enabling this module.
Even if these incidents hadn’t happened I would strongly be against this for 2 reasons:
- This would set a very dangerous precedent of enabling modules on the multisig that controls the governance of the whole protocol. If anything goes wrong, governance will be taken over forever and even though LPs are not at risk (contracts are non-custodial) all governance decisions would be highjacked.
- There is a much simpler way of getting the same outcome of auto-relocking our Aura using this module: simply spin up a new gnosis safe with the exact same signers as the main one, transfer all the Aura to it and enable this module there. This fully isolates the risks of this module (which though audited can certainly contain bugs and footguns) to only the Aura it would control.
The only downside I can see in my suggestion of cloning the governance safe is that signers would have to be swapped on the cloned safe every time swaps happen on the main one. A very minor downside compared to the risks of installing modules on the main governance safe.