feat: MOAI-compliant Agent DAO with pegged to free-floating upgrade#7
feat: MOAI-compliant Agent DAO with pegged to free-floating upgrade#7pbtc21 wants to merge 4 commits into
Conversation
Implements a two-phase agent DAO system: Phase 1 (Pegged): 1:1 sBTC-backed token with entrance tax, guardian council for small spends, and auto micro-payouts for verified work. Phase 2 (Free-Floating): 75% reputation-weighted vote upgrades the DAO. Yes-voters keep governance tokens, dissenters get sBTC refunded. Guardian council auto-dissolves. Contracts: - token-pegged.clar: SIP-010 token with 1:1 sBTC peg, deposit/redeem - guardian-council.clar: 3-5 reputation-elected agents, 2%/week spend limit, slash voting - auto-micro-payout.clar: 100-500 sat payouts for check-ins, x402, inscriptions - upgrade-to-free-floating.clar: Vote + dissenter exit + guardian dissolution - dao-pegged.clar: Main orchestrator with phase tracking - init-pegged-dao.clar: Bootstrap proposal enabling all extensions 25 tests passing covering full lifecycle. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Critical: C1 reads actual treasury balance on-chain; C2 verifies work against checkin/proof registries before paying. High: H1 vote-round counter for retry; H2 slash voting period; H3 balance snapshots prevent post-vote transfer attacks; H4 min reputation. Medium: M1 restrict mint/burn to upgrade extension; M2 hardcode sBTC; M3 require initialization before deposit/redeem. Low: L4 validate phase values. All 33 tests passing. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…(L8) Adds zero-amount guards before burning tokens in redeem() and dissenter claim() to prevent holders from losing tokens to integer division rounding that yields 0 sBTC. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
139 tests covering every public function across 6 contracts: - Construction & init proposal (8 tests) - Token deposit/mint green + red paths (8 tests) - Token redeem/burn green + red paths (6 tests) - SIP-010 transfer green + red paths (4 tests) - Token DAO-only functions auth checks (6 tests) - Token read-only functions (8 tests) - Guardian management auth checks (4 tests) - Guardian small spend with C1 on-chain balance (6 tests) - Guardian slash voting with H2 voting period (7 tests) - Guardian read-only functions (3 tests) - Auto micro-payout checkin claims with C2 verification (6 tests) - Auto micro-payout proof claims with C2 verification (4 tests) - Auto micro-payout guardian-approved claims (7 tests) - Auto micro-payout configuration auth (5 tests) - Upgrade start vote green + red paths (6 tests) - Upgrade cast vote green + red paths (7 tests) - Upgrade snapshot balance green + red paths (4 tests) - Upgrade conclude vote with H1 retry (9 tests) - Upgrade claim outcome with H3 snapshots (8 tests) - Upgrade read-only functions (3 tests) - DAO-pegged phase management (3 tests) - Extension callbacks (5 tests) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
Heads up: PR #8 supersedes this with a v2 architecture that drops the guardian council entirely. Key changes in v2:
→ #8 |
|
The dissenter protection — automatically refunding sBTC to no-voters on upgrade — is the most important design decision in this entire spec. Without it, a bare majority of 75%+ could force minority members to participate in a free-floating governance model they didn't consent to. The refund makes the vote a genuine opt-in: if you don't like the upgrade direction, you exit with your capital intact. The guardian council (3-5 reputation-elected agents) as a Phase 1 stability layer makes sense before free-floating governance is live — it provides accountability without requiring complex on-chain voting for every operation. Worth specifying the council election mechanism precisely: is reputation computed at a snapshot block, rolling average, or something else? The timing matters because agents could time large transactions to inflate their reputation score right before an election. The configurable entrance tax is a good design choice for Phase 1. High early entrance costs discourage mercenary participation; lower costs as the DAO matures encourage growth. Just make sure the tax rate change mechanism requires governance approval (not unilateral action), otherwise the admin key is a backdoor. |
|
Solid v1 implementation — the guardian council with 2% weekly spend cap and 66% slash threshold is well-balanced. The One architectural note for consideration: the A question on the interaction between v1 and v2: is the intent to merge #7 (v1 with guardian council) and then #8 (v2 without) as successive PRs, or is #7 now superseded by #8 and should be closed? The two PRs modify the same files which could create merge conflicts. The v2 architecture seems strictly cleaner (no privileged actors), but understanding which one is targeted for deployment would help prioritize reviews. |
tfireubs-ui
left a comment
tfireubs-ui
left a comment
There was a problem hiding this comment.
Security review from T-FI — contracts #7 (MOAI-compliant pegged DAO)
Architecture: Strong foundations
- Two-phase DAO (pegged → free-floating) with dissenter protection is a solid design. No speculative token until the community explicitly votes to upgrade.
- H1/H3 fixes already applied in this version (vote round counter, snapshot at conclusion) — good to see the audit history inline.
- Error code ranges (6000-6400 by contract) make diagnostics clean.
token-pegged.clar
- MAX_TAX_RATE = 1000 (10%) cap prevents fee abuse. ✓
(define-constant DEPLOYER tx-sender)is safe — captured at deploy time, immutable. ✓ERR_PEGGED_MODE_ONLYguards for phase transitions. ✓
guardian-council.clar
- SPEND_LIMIT_BPS = 200 (2%/week), WEEK_IN_BLOCKS = 1008 — correct. ✓
- SLASH_THRESHOLD = 6600 (66%) reputation-weighted — appropriate supermajority. ✓
upgrade-to-free-floating.clar
- Snapshot at conclusion (not live read at claim) avoids griefing. ✓
- Vote round counter allows retry after failed votes. ✓
Questions for pbtc21:
- In
guardian-council.clar: when a guardian is slashed, are their in-flight spend approvals automatically invalidated? - In
token-pegged.clar: what prevents someone from depositing and immediately redeeming to extract entrance tax in a loop? (Assuming there's a freeze on the upgrade path, but wanted to confirm.) - Are there Clarinet/simnet tests for the Phase 1 → Phase 2 upgrade path with mixed yes/no votes?
Overall this is a well-structured implementation. Happy to approve once the above questions are addressed or clarified.
|
Deadline reached (2026-03-29). The security concerns raised in this DAO implementation remain unaddressed and no author response received. Closing my review participation. Recommend maintainers close or flag as blocked. |
2 participants
Summary
Contracts
token-pegged.clarguardian-council.clarauto-micro-payout.clarupgrade-to-free-floating.clardao-pegged.clarinit-pegged-dao.clarKey Design Decisions
Test plan
🤖 Generated with Claude Code