Decision
OpenZeppelin Governor whose voting weight is an operator’s delivered bytes over a trailing window — not TOKEN balance — with a 4% quorum and a 2-day timelock. All governable parameters have hardcoded safety bounds that governance cannot override. A 3-of-5 emergency multisig can pause contracts, add emergency blacklist entries, and triage disputed slashes and blacklist entries, and has a 12-month sunset enforced via an immutable constructor deadline — governance cannot extend it; prolonging emergency capability requires deploying a new contract version and migrating through the standard upgrade path.Voting weight
Voting weight is each operator’s served bytes over a trailing window (default ~1 quarter, governable), scaled by a tenure ramp and capped per operator (default 5% of the window’s bytes).- Passive TOKEN holders have no vote. Governance power tracks real delivery, not holdings — you must operate a node and serve bytes to vote.
- Fresh operators ramp in. A new operator that serves heavily on day one still votes at a fraction of its byte share until the tenure ramp completes over several months.
- Slashing zeroes out the vote. A slashed operator’s weight drops to zero for the rest of the window, then recovers as the window slides past the slash.
FeeRouter settlement counter, so weight is auditable and cannot be claimed without paid delivery.
Launch phase
Served-bytes DAO voting only activates once the operator set is large enough to make it safe. Until then — the first 6–12 months post-launch — a 5-of-9 bootstrap multisig (distinct from the emergency multisig) operates the protocol within the same safety bounds. The bootstrap phase ends, irreversibly, when the active operator count reaches ≥ 30 and total declared capacity reaches ≥ 100 Gbps; at the transition, governance role authority transfers to the timelock-controlled Governor and the bootstrap multisig cannot be reinstated.Hardcoded safety bounds
Even governance cannot set parameters outside these bounds:| Parameter | Bounds |
|---|---|
Operator revenue share (FeeRouter base) | 40% – 90% |
Burn share (FeeRouter) | ≥ 5% |
| Dispute window | 12 h – 72 h |
| Per-operator voting cap | 1% – 25% |
| Unbonding window | 7 – 60 days |
require() checks in the setter functions. A malicious governance proposal that attempts to push the operator revenue share below its floor simply reverts. (Slashing tiers — 5% / 15% / 50% by lifetime offense count — are fixed constants, not governable parameters; see slashing.)
Emergency multisig
3-of-5 signers. Limited to:- Pause any contract (
Pausable) - Add emergency blacklist entries (with 14-day auto-expiry or 90-day for CSAM/terrorist categories — see takedown)
- Triage disputed slashes and blacklist entries — fast-track or reject an appeal within a fixed window, never decide it unilaterally
- Move funds
- Change parameters
- Grant roles
pause() and emergency blacklisting revert on-chain. Governance cannot modify the deadline; to retain emergency capability past the sunset, a new contract version with a new deadline must be deployed and migrated to via the standard upgrade path (timelock + governance vote). This guarantees the sunset cannot be silently extended.
Proposal flow
- Proposer’s served-bytes weight ≥ the proposal threshold.
propose()with target, calldata, description.- Voting period (default 7 days, after a 1-day voting delay).
- Quorum check — 4% of total delivered bytes in the trailing window.
- Queue in timelock (2 days).
- Execute.