Postmortem YIP-08 Failure Analysis
Summary#
YIP-08 will fail to execute due to an issue in the compiled Michelson code. The order of execution for the operations does not match the intended sequence written in SmartPy. Although we employed our lambda_builder to reverse (rev) the operations, the resulting Michelson lambda attempts to remove an administrator before the DAO had acquired administrative privileges. This sequencing error will lead to the lambda's failure.
Detection#
The team identified the issue after YIP-08 went live, then proceeded to investigate the root cause. Unfortunatly, the quorum was already reached in the vote, so the DAO community could not be averted beforehand.
Resolution#
YIP-08 will not be executed, will be cancelled after another grace period (execution delay) as the governance proposal would fail anyway. YIP-09 has been prepared as a corrective measure and has been verified on Ghostnet. This new YIP addresses the ordering issue in the Michelson lambda and ensures that the DAO receives administrative privileges before executing any other operation on the other contracts.
Action Items#
| Action Item | Type | Owner | State |
|---|---|---|---|
| Prepare new YIP | fix | is | Done |
| Launch new YIP | resubmit | ml | IN PROGESS |
Lessons Learned#
What went wrong#
The lambda was not fully tested in a complete mirrored testing environment on testnet. Local unit tests did not reveal the issue.
Where we got lucky#
The issue was detected while the YIP was running and a new YIP-09 was prepared and properly tested, so it can be submitted immediately once the governance process is open for submission again.
Conclusion#
This case has shown again, that governance lambdas have to be tested 1:1 in a testnet environment, to exclude issues, which are not easily revealed. That must also be the case for lambdas of medium complexity, like the one YIP-08 represented.