GovernanceRouter
described below follows this pattern in the context of a cross-chain governance xApp.governor
, with the power to perform permissioned actions across chains. In order to empower the governor
, we deploy a cross-chain application comprised of a GovernanceRouter
contract on each chain.GovernanceRouter
can be delegated control over an arbitrary set of permissioned functions on its local chain. The only way to access the permissioned functionality is to call the function via the GovernanceRouter
contract.GovernanceRouter
is programmed to accept messages only from the governor
, which is deployed on only one chain. The governor
may call the contract locally (if it is deployed on the same chain), or it may send it messages remotely via Nomad. Because of its exclusive power over the GovernanceRouter
contracts, the governor
has exclusive rights to perform all of the permissioned roles that are delegated to the GovernanceRouter
on each chain.governor
and carries out their effects across chains; it is agnostic to how the governor
chooses to operate. This maintains flexibility to design the governance proposal process in the future.GovernanceRouter
on each chain is the power to upgrade the implementation of the Home
and Replica
contracts. This way, the governor
will have the power to conduct upgrades of the Nomad system on every chain. More details on the upgradability system can be found here.governor
will be a multisig of trusted team and community members. In the near future, the governor
role will most likely be transferred to a more fully-featured set of contracts capable of accepting proposals, tallying votes, and executing successful proposals.governor
sends message to its local GovernanceRouter
GovernanceRouter
dispatches the message...Home
to remote Replica
via NomadReplica
dispatches message to the remote GovernanceRouter
GovernanceRouter
dispatched the message directly to the local recipientReplica
or Home
contractUpgradeBeacon
that controls the implementation of Replica
or Home
owner
is the role set on all Ownable contracts upon deployment; the owner
role has exclusive permission to call functions with the onlyOwner
modifiergovernor
is deployedGovernanceRouter
is also the special GovernorRouter
which can send messages; all GovernanceRouters
on other chains can only receive governance messagesgovernor
is local, governor
will be set to the EVM address of the governor
governor
is remote, governor
will be address(0)
GovernanceRouters
; should be the same on all GovernanceRouters
; always non-zerogovernor
is local, governorDomain
is equal to the originDomain
of the local Home
contractgovernor
is remote, governorDomain
is equal to the originDomain
of the remote Home
contractoriginDomain
of the local Home
contract on the chain of the GovernorRouter
GovernanceRouters
to determine whether an incoming Nomad message was sent from the GovernorRouter
GovernorRouter
, the GovernanceRouter
will handle the incoming messageGovernanceRouter
on every other chainrouters
GovernanceRouter
that has permission to send governance messages to all other GovernanceRouters
GovernanceRouter
on the governor chainGovernanceRouter
system, it has the unique ability to call permissioned functions on any contract on any chain that transfers permission to the local GovernanceRouter
GovernorRouter
GovernorRouter
has exclusive permission to send messages via Nomad to all other GovernanceRouters
GovernanceRouters
can have arbitrary permissions delegated to them by any contract on their local chaingovernor
is the entity with the power to call any permissioned function delegated to any GovernanceRouter
on any chaingovernor
throughout the Nomad system; it can be deployed on any chaingovernor
role can always be transferred to another contract, on the same chain or a different remote chainGovernanceRouters
; set to zero on all GovernanceRouters
except on the governor chainGovernanceRouter
to the permissioned role, which — by extension — gives the governor
exclusive permission to call those functions (regardless of whether the governor
is remote or local)Home
contract on the governor chain, this is currently a "catastrophic failure state" — no further governance actions can be rolled out to remote chains; we must create a plan to recover the system in this case.governor
constructs the array of (to, data)
calls to the permissioned functions on the contracts that will perform the upgrades on that chaingovernor
sends a transaction to the GovernanceRouter.callRemote
function on its local the , passing in the domain
of the remote chain and the array of (to, data)
calls of transactions to execute on that chainGovernanceRouter
constructs an Nomad-compatible message from the array of calls, addresses the message to the remote GovernanceRouter
, and sends the message to the local Home
contractHome
to the remote Replica
contract on the specified domain
Replica
dispatches the message to the specified recipient, which is the local GovernanceRouter
GovernanceRouter
parses the message to decode the array of (to, data)
callsGovernanceRouter
uses low-level call to execute each of the transactions in the array within the local chaindomain
does not change, owner
changes to a new bytes32
address)domain
changes to the remote, owner
changes from a non-zero bytes32
to bytes32(0)
)domain
changes to the local domain, owner
changes from bytes32(0)
to a non-zero bytes32
)domain
changes to the new remote owner, owner
remains bytes32(0)
)routers
mapping on every other GovernanceRouter
GovernanceRouter
system will have the following permissions:Home
(via UpgradeBeacon
pattern)Replicas
(via 1-to-N UpgradeBeacon
pattern)UpgradeBeacon
pattern)GovernanceRouter
will NOT have permission to:Replica
from the UsingNomad
contract, which will require a specialized role that can act quicklygovernor
will most likely be a multisig controlled by trusted team and community membersgovernor
role will most likely be transferred to a decentralized governance contract