Summary

This proposal grants CANCELLER_ROLE on the protocol timelock to the protocol multisig (0x0C02d2D320C62d4088840a459fE8862C802fbA78) to add an emergency veto mechanism against malicious queued operations.

Motivation

Current governance security has an economic attack surface during periods of low INT price and low effective quorum cost.

At current conditions:

Quorum (25M INT) is relatively low in USD terms (about ~$7K).

A hostile actor may cheaply accumulate enough voting power to pass a malicious proposal.

A malicious proposal could queue high-impact actions (e.g., treasury-draining transfers) with asymmetrical upside for attacker vs cost of attack.

Example risk scenario:

Attacker acquires ~quorum voting power for a small capital outlay.

Attacker passes and queues malicious treasury operation.

Without emergency cancel authority outside proposer flow, protocol reaction window is weaker.

Granting CANCELLER_ROLE to multisig provides a practical safety layer to stop queued malicious operations before execution.

Specification

Timelock:

0xE05dD5B785f578337B2B8F695Fbc521669c69403 (GovTimelockController)

Grant:

Role: CANCELLER_ROLE

0xfd643c72710c63c0180259aba6b2d05451e3591a24e58b62239378085726f783

To: 0x0C02d2D320C62d4088840a459fE8862C802fbA78 (protocol multisig)

Security Considerations

CANCELLER_ROLE is powerful: it can cancel any queued operation.

This is intentional as an emergency brake against governance capture.

It does not grant proposer or executor powers.

Governance flow remains unchanged; multisig only gains veto capability on queued operations.

Operational Policy

Multisig should cancel only when at least one applies:

Clear treasury-drain or privilege-escalation intent.

Proposal payload materially differs from stated intent.

Governance manipulation/capture indicators are present.

Critical bug or exploit discovered after queueing.

After cancellation, multisig should publish a transparent post-mortem and rationale.