The recent issue involving double-entrypoint tokens, which includes SNX and sBTC, saw those tokens being transferred out of the Vault into the ProtocolFeeCollector. The multisig in charge of managing protocol fees renounced the permission to withdraw them, meaning these user funds are now solely controlled by the Balancer Governance multisig. Until the situation is resolved however, regular protocol fee withdrawal and distribution (including revenue for veBAL holders) is halted.
This proposal provides a mechanism to continue with protocol fee distribution while keeping SNX and sBTC from LPs safe.
We’ve developed a contract called ProtocolFeesWithdrawer, which forwards requests to withdraw tokens to the ProtocolFeesCollector, as long as the tokens are not included in a ‘denylist’ of tokens that cannot be withdrawn. This list can be updated by Balancer Governance.
By granting permission to the ProtocolFeesWithdrawer to withdraw from Collector, and to the original Safe to initiate withdrawals on the Withdrawer, the multisig will regain the ability to manage protocol fees, but will be unable to withdraw any SNX or sBTC.
I propose we make the Withdrawer part of our permanent infrastructure, since it adds very little overhead and allows for measures like this one to be taken. This is not the first instance we’ve seen of tokens incorrectly landing in the ProtocolFeeCollector, and we might want to make use of these capabilities again in the future.
grantRolesToMany on the Authorizer, with:
This will grant role 0xb2b6…3ae6, which allows withdrawing from the FeeCollector (the same role renounced by the multisig) to the FeeWithdrawer. The address of the Withdrawer can be obtained from the Balancer Labs deployments repository.
The second role granted is 0x826a…23fe, which allows withdrawing from the Withdrawer to the original multisig at 0x7c68…161b. The role can be obtained by calling
getActionId on the Withdrawer with 0x6daefab6, the selector of the
withdrawCollectedFees(address,uint256,address) (i.e. the first eight bytes of that hash.
The ProtocolFeesWithdrawer is intentionally extremely simple to minimize smart contract risk. Its mitigations risk being uneffective in the case of double-entrypoint tokens if one of the entrypoints is updated before it can be added to the denylist - we’ve made the Synthetix team aware of this and they’ll report about any changes in advance.
Plans to fix the SNX and sBTC issue are unaffected by this, as we can always grant permission to withdraw them from the Collector to another contract down the line.