Introduce ChildChainGaugeTokenAdder


Liquidity gauge depositors can receive not only BAL, but also extra tokens (called ‘reward tokens’). On Ethereum L1, this is relatively straightforward, and there’s already a subDAO managing this. On child chains however (i.e. non-Ethereum L1 chains, such as Polygon or Arbitrum), this task is a bit more nuanced, as the gauge system allows for irrecoverable user error.

ChildChainGaugeTokenAdder is a module that makes adding reward tokens to child chain gauges much safer, and should be the only means by which this is done.


The ChildChainGaugeTokenAdder contract (deployment addresses found here) must be granted permission to call IChildChainStreamer.add_reward and IRewardsOnlyGauge.set_rewards via the AuthorizerAdaptor. Then, the LM multisig 0xc38c5f97B34E175FFd35407fc91a937300E33860 must be granted permission to call ChildChainGaugeTokenAdder.addTokenToGauge.

Execution details

This will be done in multiple networks: the named arguments below should be replaced with the actual constants specified later.

Call grantRolesToMany on the Authorizer, with:

  • roles:
    • add_reward_role
    • set_rewards_role
    • addTokenToGauge_role
  • accounts:
    • ChildChainGaugeTokenAdder
    • ChildChainGaugeTokenAdder
    • LMMultisig


Authorizer: 0xA331D84eC860Bf466b4CdCcFb4aC09a1B43F3aE6
ChildChainGaugeTokenAdder: 0x1554ee754707D5C93b7934AF404747Aba521Aaf2
LMMultisig: 0xc38c5f97B34E175FFd35407fc91a937300E33860
add_rewards_role: 0x7cb72b76789ff7bc3d3bf438294fb22e9ab21b8ab33ef92bde5343ffbefae722
addTokenToGauge_role: 0x32982283bd3250ac03256468501ad749885a55561f6e27111ff7f9a661aca5b5


Authorizer: 0xA331D84eC860Bf466b4CdCcFb4aC09a1B43F3aE6
ChildChainGaugeTokenAdder: 0xbfD9769b061E57e478690299011A028194D66e3C
LMMultisig: 0xc38c5f97B34E175FFd35407fc91a937300E33860
add_rewards_role: 0x848a449d6f3fea1c1e229330f28bbd34ce15b8828b8e59f6b046fe937ef76b76


The LM multisig could misuse its permission and add incorrect or faulty tokens to the gauges. Since these have a limit of 8 tokens and they cannot be removed, such a situation would require a gauge migration.

Alternatively, the LM multisig could designate a distributor that sets overly long distribution durations (e.g. 5000 years), which would effectively make the distributions unusable.

No funds are at risk. The only funds potentially affected are those being distributed, which could be re-distributed over an over by a malicious distributor, dilluting the effective distributon rate.


This heads to the gov council tomorrow :pray:

1 Like