PIP-67: Update Membership of the Protocol Council

PIP: 67
Title: Update Membership of the Protocol Council
Authors: Kaitlin Beegle, Harry Rook
Description: Proposal to update the membership of the Polygon Protocol Council
Discussion: TODO
Status: Draft
Type: Contracts
Date: 2025-04-15

Abstract

This proposal seeks to update the membership of the Protocol Council established by [PIP-29](https://github.com/maticnetwork/Polygon-Improvement-Proposals/blob/main/PIPs/PIP-29.md) to ensure continued operational efficiency and governance transparency. This proposal supersedes and should be read in conjunction with PIP-29.

Motivation

Refreshing the Protocol Council membership ensures alignment with evolving community representation, and maintains operational transparency and efficiency.

Updates to Protocol Council membership at this time were motivated by PIP-54 and PIP-XX, which jointly seek to improve the efficiency and decentralization of Polygon PoS by granting more efficient control over contract upgradeability to the Protocol Council. In preparing for this transition, all current members of the Council were asked to reconfirm their interest, alignment, and availability to serve on the Council.

As a result of this process, the updated membership list reflects the removal of Justin Drake (Ethereum Foundation) and Anthony Sassano (Daily Gwei). The removal of each member is proposed with their full consent and in no way is a reflection on their skills, abilities, or the quality of their contributions.

The below individuals are furthermore proposed to fill the seats left vacant by Justin and Anthony’s departure:

Pablo Sabbatella
Pablo Sabbatella, also known as pablito.eth, is a blockchain operational security researcher. He is the founder of Opsek, which offers operational security audits and training to web3 companies. He is also a member of SEAL (Security Alliance) and the Optimism Security Council. He is host of the Blockchain Security Series podcast.

Jack Sanford
Jack is the CEO and Co-Founder of Sherlock. Over the last 5 years, Jack has worked closely with hundreds of crypto teams to deliver successful security outcomes, including many of the biggest DAOs in the space. Jack has hands-on experience in high stakes situations including war rooms, exploit mitigation, and funds recovery. Jack has been a leading voice in the crypto security ecosystem, speaking about security topics at DevCon, DeFi Security Summit, ETHDenver, and more.

Each of the above members have been audited and approved to join by existing members of the Council.

The updated membership list also proposes replacing two (2) individual representatives from Polygon Labs Engineering and Polygon Labs Security teams- Mudit Gupta, and Jordi Baylina- with two (2) ⅗ multisigs, one held by each organization.

• Polygon Labs Engineering will propose upgrade payloads while also acting in a traditional signer capacity.

• Polygon Labs Security will ensure operational integrity throughout the upgrade process by verifying payloads through to execution.

Specification

This PIP proposes the reform of the signer composition of the Protocol Council, to be updated to the the list below. The existing multisig contract specification, including signature policies and timelock delays, will remain unchanged.

Updated Protocol Council Members

Backward Compatibility

This change is fully backward compatible, changing only the council membership.

Security Considerations

Key security parameters remain unchanged. Considerations need to be made to ensure new signers are selected to maximize jurisdictional diversity, availability, and responsiveness.

Copyright

All copyrights and related rights in this work are waived under CC0 1.0 Universal.

Could you help us review this proposal by saying what those policies are? In particular, how many signatures are required for a quorum and what is the time delay?

It looks like this needs to be read in concert with https://forum.polygon.technology/t/pip-68-reform-key-polygon-pos-multisigs-to-integrate-protocol-council-members/21008 which proposes 7 of 13 with a 10 day delay

I think it would be good if individuals at the organisations listed (L2Beat, Guantlet, Polygon Labs) were nominated, and were the only individuals at those organisations with access to the signing key. This would improve security and increase transparency.

@0xD0A4004d1916C0F93D yes, you’re correct! The signature and multisig policies for the Protocol Council are available in PIP-68.

In regards to your last comment, can you clarify what exactly you mean? The organizations that are listed are expected to sign securely, which means controlling access to their private keys. We do not list the names of individuals at each organization who are responsible for signing due to security reasons, but it is not the case that the entire organization has signatory authority.

Nominating individuals from organisations, and listing them by name, will increase accountability and security. Just having the organisation listed could lead to Employee A from Org A being the nominated signer, they leave Org A and hand over the signing responsibility to Employee B from Org A. The issue with this is that Employee A will retain some information about signing: for instance the pin number to unlock a hardware wallet.
Nominating the individuals in the company would increase the probability that when an employee leaves a company, a new key will be enrolled for a new signer employee, and the old key would be decommissioned.

Yes- this is a great point!

However, there are two big reasons why naming individual signers is not preferable in this instance:

• Multisigs intentionally represent organizations, not individuals. Oftentimes, signatory multisigs are comprised of a diverse group of people within an organization. Regardless of what one individual person may think about the utility, specification, or impact of a proposed transaction, their role is specifically to ensure the security of a proposed payload. Oftentimes, these organizations will undertake an internal security review prior to coordinating their signature. As such, many individual employees do not like to be named, because their signature on the transaction is not intended to reflect their personal assessment of the transaction itself.
• Naming individuals makes them a target for exposure. Many named individuals on multisigs do so because they operate as known independent contributors or public professionals who accept the risk of being named. This requires that they adhere to specific security standards and behaviors to ensure that their keys are not compromised.

In other words, naming an org or naming an individual is an intentional choice. And in both cases, the individual or org that is selected is done so because they are security professionals. This means upholding standards, expectations, and internal processes to ensure that they remain secure contributors, regardless of the context.

In addition, we routinely check in with signers, ensuring that they 1) have not changed teams or signers, and 2) still have access to all pins, keys, ledgers, etc.

That makes sense.
I am now in support of this proposal.