[SCP-43] Infrastructure Budget Proposal [Official Ideation Thread]

Objective

The Shapeshift DAO needs to be empowered to run its own software infrastructure independent of legacy, centralized Shapeshift or any duly appointed custodians thereof. The goal of this proposal is to enumerate the reasons why, and the resources required to make it a reality.

Abstract

Currently, the Shapeshift DAO depends on infrastructure provided by Shapeshift AG in order to bootstrap hardware for its next-generation defi software platform to operate. If the DAO is to become independent and self-sufficient, it will need to appoint one or more trusted proxies to operate its own infrastructure. Shapeshift AG is dissolving, and if a new arrangement is not made, the DAO will eventually have no assets on which to run its platform or development environments. As the primary function of the DAO is to produce a software product, this initiative is integral for the long-term ability of the DAO to function and survive at a very basic level.

Specification

• We are proposing that the Shapeshift DAO enables itself to independently serve its own product to the world via leveraging its existing relationship with TaxiStake. TaxiStake is a legal US commercial entity already tooled for operating in this capacity, and currently runs a Cosmos Validator on behalf of the DAO. As such, there are no initial capital expenditures required to fund the project.

  The DAO’s next-gen defi platform, referred to as “Shapeshift Web v2”, pulls its data from a piece of back-end software, named “Unchained”. Unchained initially pivots on offering a rich user experience with the Ethereum ecosystem via the Geth blockchain client running in full archive mode. This means that the Geth implementation is demanding in both storage and run-time resources. As a result, the initial footprint of a new Unchained cluster running Ethereum is about $1000 USD a month. Thankfully, this initial cluster footprint will also be powerful enough to run a few additional, less-demanding blockchain clients such as Bitcoin, Litecoin, and Thorchain, without incurring additional cost to the operator.

  This proposal posits that:

  TaxiStake will provision an isolated, dedicated cloud provider account for running the DAO’s infrastructure. No services will be provisioned in this account that do not belong to the DAO.

TaxiStake itself will not

• be responsible for on-call or triage of operational issues with the software.
• TaxiStake will delegate privileged access to the cluster and/or account for appropriate members of the Engineering Workstream who are responsible for on-call and triage of operational issues.
• TaxiStake will provide programmatic access to the account in order to deploy assets via automated CI/CD workflows.
• The instance of Unchained operated by TaxiStake will become the primary back-end leveraged by Shapeshift Web v2.
• A Sablier stream will be established, from which TaxiStake can be reimbursed at a 150% rate for monthly operational expenditures incurred in running this infrastructure for three months. This equates to about $500 USD a month in profit for TaxiStake itself. If this arrangement needs to be terminated or modified for any reason, the DAO can simply withdraw or reissue the stream’s contract. This arrangement will be renewed on a quarterly basis unless otherwise modified by governance.

The relationship with TaxiStake will continue to be leveraged for future infrastructure needs, assuming all goes well. At present, this is expected to include future blockchain integrations in the Unchained back-end, but could be extended to new feature offerings.

Motivation/Benefits

As mentioned previously, the DAO currently depends on Shapeshift AG to provide hardware to run its software product. The primary motivation of this proposal is to enable the DAO to serve its own product to the world with its own infrastructure.

Drawbacks

It does increase the DAO’s reliance on the relationship with TaxiStake. However, the infrastructure deployment workflow is currently packaged in such a way that if the relationship with TaxiStake needs to be terminated for some reason, it is a fairly simple process to deploy these assets elsewhere under the auspices of a new arrangement.

Additionally, the Foundation will be running an Unchained endpoint for the foreseeable future, and Shapeshift Web v2 can be quickly reconfigured to use it within a matter of minutes should need arise.

Vote

• If you vote “For” this proposal, you are endorsing the following points:

  The DAO should be capable of running its own infrastructure to serve its own product,

• TaxiStake is a trusted proxy able to run the DAO’s infrastructure in a reliable and secure fashion,
• The establishment and funding of a Sablier contract in the amount of $4500 USD in DAI stablecoin tokens (1 DAI = 1 USD) to serve as a reimbursement vector for TaxiStake’s operational expenditures over the course of three months.

If you vote “Against”, you are indicating that you do not want the DAO to be able to run its own infrastructure, or perhaps just not via the existing relationship with TaxiStake.

I do have some level of concern. Does this put any level of risk that should TaxiStake get shut down for running the Cosmos or upcoming Osmo node that it could shut down this as well? I know talking legal stuff isn’t fun, but I worry about putting too much load on a single point, especially one that is doing quite a bit of revenue generation already, and only adding more to the future. Mperklin’s security talk about if the feds tell you to stop doing something, you should probably stop doing that? Would they tell you to stop all operations? or would they segment it to only one node/nodes?

If Shapeshift DAO needs to be empowered to run its own software infrastructure independent of legacy would Fluence or Rift be relevant tools for the DAO to consider?

con5cience:

The establishment and funding of a Sablier contract in the amount of $4500 USD in FOX tokens (roughly 5555.55 FOX at today’s market rate of $0.81 USD/FOX) to serve as a reimbursement vector for TaxiStake’s operational expenditures over the course of three months.

I heard some feedback in Discord that this should be a stable coin. I think TaxiStake would prefer this as well but I don’t think it was an option when we first started discussing this. Some of our initial concerns were more around our AWS bill growing wildly due to a misconfiguration or sudden surge in use, rather than the FOX price changing dramatically during the 3 month agreement.

TaxiStake would most likely setup a completely independent AWS for this

We are always watching the moving target that is the legal state of things in crypto and have good lawyers advising us. I don’t see any issue currently but will run it by council. I view this as a consulting infrastructure agreement between the two entities.

Thanks for your reply. The Unchained cluster is basically a collection of open source software, particularly Trezor Blockbook running on top of a blockchain node (Go-Ethereum, Bitcoind, etc). It indexes data from those chains, which is already publicly available, and makes that data available for query via REST-ful interface. As a result, I don’t see TaxiStake incurring additional risk within the scope of this particular piece of infrastructure. However, if TaxiStake gets nuked off the face of the planet for some reason, that will clearly affect availability of its endpoint.

All that said, the Fox Foundation will continue to run an Unchained endpoint in parallel for the duration of its existence, and ideally we will have many more of these cluster endpoints running out in the wild in a fault-tolerant fashion when the time comes for the Foundation to retire itself. If TaxiStake evaporates between then and now, the DAO can swap to another endpoint within a handful of minutes.

Thanks for your comment. Unfortunately, neither Rift nor Fluence appear to be able to serve the Unchained back-end. Please feel free to continue to suggest platforms, we are always willing to take a look at technologies that we might not have considered or even known of previously.

Thanks Marley. I will be amending the agreement to pivot on DAI instead of FOX for reimbursement.

Why not oneFox instead of DAI?

DAI is easier for me to pay my bills with. I’m interested in oneFOX but not for this. It is a relatively low amount ($4500 over 3 months) so I want to be gas efficient and can easily pay my bills in DAI with 1 transaction.

It makes sense. Thank you for the clarification.

This is really nice … I am giving my vote for this

(post deleted by author)

Thank you for your support!

Hey - finally got more time to review this proposal in detail, thank you for posting it!

Now that I understand the idea more than I did on the governance call, and importantly understanding the foundation plans to run one of these instances as well, with taxi stake becoming a backup/additional instance for the the time being, I am in support of this moving forward.

It immediately helps with decentralization of the infrastructure which is important, and perhaps more importantly it could help setup a company like taxistake to potentially even run foxchain nodes in the long term (and help test/get that chain running) which would also pay long term benefits to the DAO.

I actually envisioned the nodes that TaxiStake runs to become the primaries for v2, and for the Foundation’s nodes to be the failovers – at least until such time that FOXChain is able to load balance clients between all active nodes. In this, the next-gen software platform immediately catalyzes the ideal sort of operational autonomy required for a truly independent DAO. But this is an implementation-level detail and not critical to the initial steps posited by this proposal.

Longer term, adding FOXChain to the mix will become an extra sprinkle of configuration atop the existing deployment pattern.

Yea, which one is the default and backup at first is not important as much as they are both serving as redundancy for each other.

Either way seems a worthwhile step and experiment!

It’s worth noting that the Unchained node you use is somewhat trusted; it can’t steal your funds directly, but it can lie to you about some important things – like whether a transaction occurred, how much it was for, what your balance is, etc. For example, a bad unchained node might be able to trick you into thinking that you’ve received a payment when you haven’t, or that a send you’ve made failed and that you need to re-send it. There are almost certainly other attacks an unchained node operator could perform too – especially as our app gets more sophisticated – like lying about what an ENS name resolves to, or maybe even getting you to interact with the wrong contract.

Foxchain intends to solve this problem by forcing node operators to post a bond and commit on pain of being slashed to each result they provide, but in the meantime it’s important to keep the trust aspect in mind, which is why something like Akash isn’t the right fit for a job like this. Personally, I trust the TaxiStake guys, but that’s partly because I know them myself and partly because in their capacity as former centralized ShapeShift employees I know that they were trusted with sensitive stuff and had ample opportunity to be evil, and chose not to. Still, developing trust that way isn’t really a scalable solution.

If TaxiStake goes under and we need a replacement it would be technically trivial for anyone else to spin up the same infrastructure, but difficult for us to trust them. Infrastructure run by the foundation sort of short-cuts that process – you have to trust the unchained nodes run by the foundation too, but you don’t have to trust them any more than you’re already trusting the foundation. (After all, they own the DNS names, and could use that control to attack you in many much simpler ways.)

If TaxiStake goes under, and FOXChain isn’t in play, then the DAO swaps back to the Foundation’s nodes (or perhaps another trusted entity appears between now and then, or quickly materializes in response). At this point in time, I don’t expect that the DAO would leverage an Unchained back-end served by an entity with which it did not have that dynamic.

This proposal is not intended to be the ultimate, perfectly scalable solution for the long-term. It’s meant to be a solid step toward independence.

Just to be clear, I agree and I also expect to vote in favor of this proposal; I just wanted to bring the security perspective to the discussion.

Amended the proposal to explicitly declare the parameters of responsibility for TaxiStake, and some basic rules of engagement between it and DAO operators. This feedback was gathered from members of the community and the Engineering Workstream during Engineering Office Hours today.