← Inferno

Governance

Timelock-based on-chain governance for the Inferno token — proposals, roles, parameter changes, and emergency controls.

1. Overview

The Governance contract is a timelock governor that controls the InfernoToken contract. After transferOwnership() was called, ALL token parameter changes must go through Governance — there is no backdoor.

Mandatory delay between proposal creation and execution (default: 48 hours)
Guardian role can emergency-cancel proposals at any time before execution
Self-governing: even the timelock delay itself can only be changed through a proposal
Fully transparent — every proposal and execution is an on-chain event

Contract: 0xc43d48E7FDA576C5022d0670B652A622E8caD041 — View on Etherscan

2. Timelock Mechanics

Every proposal is subject to a mandatory delay before it can be executed. This gives the community time to review and, if necessary, raise concerns.

Parameter	Value	Notes
`MIN_DELAY`	1 hour (3,600s)	Absolute minimum — hardcoded, cannot be lowered
`MAX_DELAY`	30 days (2,592,000s)	Absolute maximum — hardcoded
`delay` (current)	48 hours (172,800s)	Default value, changeable via self-governance

When a proposal is created, its ETA (Earliest Time of Arrival) is set to block.timestamp + delay. The proposal cannot be executed before this timestamp.

Important: Changing the delay itself must go through the timelock. This prevents an attacker from reducing the delay to zero and immediately executing a malicious proposal. See Section 9: Self-Governance for details.

3. Proposal Lifecycle

Every governance action follows the same lifecycle. Below is the visual flow:

propose(target, data)

→

Pending
eta = now + 48h

→

wait for ETA...

→

Executable

→

execute(proposalId)

→

Executed

Alternative path (any time before execution):

→

cancel(proposalId)

→

Cancelled

Pending

Executable

Executed

Cancelled

States Explained

Pending — Proposal has been created but ETA has not been reached. Cannot be executed yet.
Executable — ETA has passed. The owner can call execute() to carry out the proposal.
Executed — The target function has been called successfully. This is a terminal state.
Cancelled — The proposal was cancelled by the owner or guardian before execution. Terminal state.

4. Roles

The Governance contract defines three distinct roles with clearly separated permissions:

Role	Permissions	Current Holder
Owner	`propose`, `execute`, `cancel`, `setGuardian`, `setOwner`	TreasurySafe 3-of-5 0x5ad6193eD6E1e31ed10977E73e3B609AcBfEcE3b Transferred 20.03.2026 — TX
Guardian	`cancel` only (emergency) Cannot propose or execute	Deployer EOA 0x6b36687b0cd4386fb14cf565B67D7862110Fed67 Emergency cancel only — no governance power
Self (Governance contract)	`setDelay` (only via its own timelock)	Governance 0xc43d48E7FDA576C5022d0670B652A622E8caD041

Note: The Owner role was transferred to TreasurySafe (Gnosis Safe 3-of-5) on 20.03.2026. All proposals now require 3-of-5 multisig signatures. The Guardian (Deployer EOA) retains only the emergency cancel() function — it cannot propose or execute.

5. What Parameters Can Be Changed

The following functions on InfernoToken (and Governance itself) can only be called through the governance timelock:

Function	Description	Constraints
`InfernoToken.setFeeRates(senderBurnBps, recipientBurnBps, poolFeeBps)`	Change the fee rates for transfers	Total must not exceed 5% (500 bps)
`InfernoToken.setFeeExempt(address, bool)`	Add or remove fee exemptions for specific addresses	—
`InfernoToken.setPoolFeeReceiver(address)`	Change the address that receives pool fees	Cannot be zero address
`Governance.setDelay(uint256)`	Change the timelock delay	Self-governance only; MIN_DELAY ≤ value ≤ MAX_DELAY

6. Creating a Proposal

Use ethers.js (v5) to create a governance proposal. The propose() function takes the target contract address and the encoded calldata:

// Example: Change fee rates to 1.5% sender burn + 0.5% recipient burn + 1% pool fee
const governance = new ethers.Contract(GOV_ADDRESS, GOV_ABI, signer);

// Encode the function call
const iface = new ethers.utils.Interface([
  "function setFeeRates(uint256,uint256,uint256)"
]);
const calldata = iface.encodeFunctionData("setFeeRates", [150, 50, 100]);

// Submit the proposal
const tx = await governance.propose(TOKEN_ADDRESS, calldata);
const receipt = await tx.wait();

// Get the proposal ID from the event
const event = receipt.events.find(e => e.event === "ProposalCreated");
console.log("Proposal ID:", event.args.proposalId.toString());
console.log("ETA:", new Date(event.args.eta.toNumber() * 1000));

Tip: The proposal ID is emitted in the ProposalCreated event. Store it — you will need it to execute or cancel the proposal later.

7. Executing a Proposal

After the 48-hour delay has passed, the owner can execute the proposal:

// After 48h delay has passed
const tx = await governance.execute(proposalId);
const receipt = await tx.wait();

console.log("Proposal executed in block:", receipt.blockNumber);
// The target function (e.g., setFeeRates) has now been called

If you try to execute before the ETA, the transaction will revert with "Governance: too early".

8. Guardian Emergency Cancel

The Guardian role exists as a safety mechanism. A guardian can cancel any pending proposal instantly, without waiting for the timelock delay.

Designed for emergency response (e.g., a malicious proposal is detected)
The guardian cannot propose or execute — only cancel
Cannot undo an already-executed proposal (execution is permanent on-chain)
The owner can also cancel proposals (they have a superset of permissions)

// Guardian cancels a suspicious proposal
const guardianGovernance = governance.connect(guardianSigner);
const tx = await guardianGovernance.cancel(proposalId);
await tx.wait();

console.log("Proposal", proposalId, "cancelled by guardian");

9. Self-Governance

The setDelay() function has the onlySelf modifier, meaning it can only be called by the Governance contract itself. No external account — not even the owner — can call it directly.

How to Change the Delay

Propose a call where the target is the Governance contract itself and the calldata encodes setDelay(newDelay)
Wait for the current delay to elapse (48h by default)
Execute the proposal — the Governance contract calls itself

// Example: Change delay from 48h to 72h (259200 seconds)
const iface = new ethers.utils.Interface(["function setDelay(uint256)"]);
const calldata = iface.encodeFunctionData("setDelay", [259200]);

// Target is the Governance contract itself
const tx = await governance.propose(GOV_ADDRESS, calldata);
await tx.wait();

// ... wait 48 hours ...

await governance.execute(proposalId);

Security: This design prevents "instant delay reduction" attacks. An attacker who gains owner access cannot reduce the delay to zero and then immediately execute a malicious proposal — they must still wait for the current delay to pass, giving the guardian time to cancel.

10. Mainnet Governance Proposals

Governance proposals submitted on the Ethereum Mainnet deployment (0xc43d48E7FDA576C5022d0670B652A622E8caD041):

ID	Action	Proposed	ETA	Status
#0	`setFeeExempt(BootstrapVault V1, true)` V1 deprecated — transferFrom bug. Replaced by BootstrapVaultV3.	05.03.2026	07.03.2026 20:12 CET	Executed
#1	`setFeeExempt(Vesting, true)` Redundant — already exempt before ownership transfer.	08.03.2026	10.03.2026 00:21 CET	Cancelled
#2	`setFeeExempt(BurnReserve, true)` Redundant — already exempt before ownership transfer.	08.03.2026	10.03.2026 00:21 CET	Cancelled
#3	`setFeeExempt(BootstrapVaultV3, true)` Replaced by #4 with correct timing.	08.03.2026	10.03.2026 00:50 CET	Cancelled
#4	`setFeeExempt(BootstrapVaultV3, true)` TX: `0xdb1590bf…`	09.03.2026	11.03.2026 08:45 CET	Executed 11.03.2026
#5	`setFeeExempt(FeeRouterV1, true)` TX: `0x1c885fbe…`	09.03.2026	11.03.2026 08:46 CET	Executed 11.03.2026
#6	`setPoolFeeReceiver(FeeRouterV1)` TX: `0x89eebca7…`	11.03.2026	13.03.2026 09:23 CET	Executed 13.03.2026
#7	`setFeeExempt(Deployer, true)` TX: `0xfbb98818…`	16.03.2026	18.03.2026	Executed 18.03.2026
#8	`setFeeExempt(TreasurySafe, true)` TX: `0x4caadb53…`	16.03.2026	18.03.2026	Executed 18.03.2026
#9	`setFeeExempt(CommunitySafe, true)` TX: `0x1d43de02…`	16.03.2026	18.03.2026	Executed 18.03.2026
#10	`setOwner(TreasurySafe)` Cancelled (onlyOwner bug) — direct setOwner() via Deployer. TX	18.03.2026	20.03.2026	✅ Owner transferred 20.03.2026

Upcoming & Planned Proposals

#	Action	Timing	Status
#11	`setFeeExempt(CommitmentVault, true)` CRITICAL — must execute before first user lock! `0x0719d9eb28dF7f5e63F91fAc4Bbb2d579C4F73d3`	ASAP (via TreasurySafe)	Executed 06.04.2026
#12	`setFeeExempt(LendingVault, true)` CRITICAL — must execute before first deposit/borrow! `0x974305Ab0EC905172e697271C3d7d385194EB9DF`	ASAP (via TreasurySafe)	Executed 06.04.2026
#13	`setFeeExempt(BuybackController, true)` `0x1e0547D50005A4Af66AbD5e6915ebfAA2d711F7c` TX: 0x74a7c9c9…404f · Block 24890909 · BuybackController feeExempt = TRUE	Submitted 14.04.2026 · Executed 16.04.2026 10:31 Athen	Executed 16.04.2026
#14	`setFeeCollector(BuybackController)` on FeeRouterV1 Wires protocol fees → BuybackController (50/50 buyback+burn / LP deepening flywheel) Target: `0x4807B77B...C60a` · Argument: `0x1e0547D5...F7c` · FeeRouterV1.feeCollector = BuybackController ✅	Submitted 16.04.2026 · Executed 18.04.2026	Executed 18.04.2026
Planned (post-bootstrap)	`setFeeExempt(Uniswap V2 Pair, true)` CRITICAL — without this IFR is not tradeable (3.5% fee on every swap)	IMMEDIATELY after finalise()	Planned
Planned (post-bootstrap)	`setP0(CommitmentVault)` P0 = Total ETH / 100M — IMMUTABLE once set	After pool is live	Planned
Planned	LP milestone additions (50M/100M IFR + proportional ETH)	At pool depth $2k / $10k	Planned

Telegram Notifications

New governance proposals are automatically announced in the @IFRtoken channel and the $IFR Community group. Notifications are sent for:

New proposals (with action, target, ETA, and verify.html link)
Proposals becoming executable (timelock passed)
Proposals executed on-chain
Proposals cancelled

Polling interval: every 30 minutes. Deduplication ensures no double announcements. Service: voteAnnouncement.js (12 tests).

LP Reserve Safe Transfer (18.03.2026): 400.6M IFR transferred from Deployer EOA (0x6b36...ed67) to LP Reserve Safe (0x5D93E7919a71d725054e31017eCA86B026F86C04), a Gnosis Safe 3-of-5 with the same 5 signers as Treasury and Community Safes. Deployer now holds 0 IFR. This was a direct ERC-20 transfer, not a governance proposal. TX: 0xd33c771d…

Why were Proposals #1–#3 cancelled? Proposals #1 (Vesting) and #2 (BurnReserve) were redundant — both contracts were already set feeExempt directly before ownership was transferred to the Governance contract. Proposal #3 (BootstrapVaultV3) was cancelled and re-proposed as #4 with correct timing. All cancellations were performed intentionally by the Guardian (Deployer 0x6b36…ed67) on 09.03.2026.

11. Historical Proposals (Sepolia)

Below are the governance proposals that have been submitted on the Sepolia testnet deployment:

ID	Action	Status	Details
#0	`setFeeExempt(0xA4A1ea...6A36f90, true)`	Executed	Executed 2026-02-20 Target: InfernoToken — Fee exemption for DEX Router Proposed by: Deployer (`0x5Ecc...dE406`) TX: 0x13ff46d8...
#1	`setFeeExempt(0x0Cab0A...36675d3, true)`	Executed	Executed 2026-02-22 Target: InfernoToken — Fee exemption for IFRLock (required for unlock()) Proposed by: Deployer (`0x5Ecc...dE406`) TX: 0x211b7949...4253a909
#2	`setFeeExempt(0x6EF04c...7AF090, true)`	Cancelled	Cancelled via Guardian Target: InfernoToken — Fee exemption for PartnerVault v1 (deprecated) Reason: PartnerVault v1 replaced by v2 with upgraded features TX: 0xaa829332...
#3	`setFeeExempt(0x5F12...490A39, true)`	Executed	Executed: 2026-02-26 09:44 CET Target: InfernoToken — Fee exemption for PartnerVault v2 1.4M IFR top-up completed — PartnerVault now 40M IFR TX: `0x3f28690a04345700cc847bb495efc7bf50c98456be3d10ebf3926237f57de6e8`
#4	`transferOwnership(Governance)`	Cancelled	Target: LiquidityReserve (v1) — immutable owner, cannot transfer. v2 redeployed instead.
#5	`transferOwnership(Governance)`	Cancelled	Target: BuybackVault (v1) — immutable owner, cannot transfer. v2 redeployed instead.
#6	`transferOwnership(Governance)`	Cancelled	Target: BurnReserve (v1) — immutable owner, cannot transfer. v2 redeployed instead.
#7	`setFeeExempt(0x3447...1957, true)`	Executed	Executed: 2026-03-02 Target: InfernoToken — Fee exemption for LiquidityReserve v2 TX: `0x7b54a77571fdcdd0961f100e45cc53621360cfacc80d8fdb8fe161e7937c8a25`
#8	`setFeeExempt(0x2E61...b68c, true)`	Executed	Executed: 2026-03-02 Target: InfernoToken — Fee exemption for BuybackVault v2 TX: `0xd43d40aa9dd88c3277c0272fc823fcc7445e2b7204d11e49f58c3bda997e686e`
#9	`setFeeExempt(0xB9Fb...D75, true)`	Executed	Executed: 2026-03-02 Target: InfernoToken — Fee exemption for BurnReserve v2 TX: `0x9d51bf49d8727c46db0491cedcb60a98979d94f4699623798189454dfb48bc18`

Why was Proposal #2 cancelled? PartnerVault v1 was replaced by v2 (added authorizedCaller whitelist, anti-double-count mapping, and algorithmic emission throttle). Proposal #2 targeted the old v1 address and was cancelled via Guardian. Proposal #3 was created for the new PartnerVault v2 address (0x5F12...490A39).

Governance Learnings (Sepolia)

Contract upgrades invalidate pending proposals. When PartnerVault v1 was replaced by v2, Proposal #2 became obsolete. Always cancel outdated proposals before creating new ones for the replacement address.
Guardian cancel is faster than waiting. Instead of waiting 48h for an outdated proposal to expire, the Guardian can cancel immediately. This prevents accidental execution of proposals targeting deprecated contracts.
feeExempt must be set before funding. Transferring 40M IFR to PartnerVault v1 before setting feeExempt resulted in a 1.4M IFR fee deduction. On mainnet: always set feeExempt first, fund second.
Include version info in proposal descriptions. On-chain proposals have no description field — document the target contract version off-chain (GitHub Issue, wiki, CHANGELOG) to avoid confusion between v1/v2 addresses.
48h delay is sufficient for testnet operations. The delay provides enough time for review while not blocking rapid iteration. For mainnet, consider increasing to 72h for critical parameter changes.

12. Current Governance Model

Inferno currently operates under an Admin + Timelock governance model. This is a deliberate choice for the early phase of the protocol.

Property	Current State
Model	Single Admin + 48h Timelock
Token Voting	No — not implemented yet
DAO	No — planned for future phase
Who can propose	Owner (TreasurySafe 3-of-5) only
Safety mechanism	Guardian can cancel any pending proposal
Transparency	All proposals and executions are on-chain events with 48h public review window

Important: Inferno is not a DAO today. The current governance is admin-controlled with a mandatory timelock. This is intentional — see below for the rationale and roadmap.

12. Future: Governance Roadmap

Governance will evolve in clearly defined phases, each building on the trust and battle-testing of the previous one:

Current
Admin + Timelock

→

Next
Multisig Governance

→

Future
Full DAO

Current: Admin + Timelock — Single owner with 48h mandatory delay. Guardian safety net. Fast iteration, security-first approach.
Next: Multisig Governance — Gnosis Safe multisig replaces single owner. Multiple signers required for proposals. Same timelock protection.
Future: Full DAO — Lock-weighted voting (IFRLock balances as voting power). Community proposals. On-chain quorum requirements. Builder tokens grant additional voting rights.

Why Not DAO from Day One?

Security over speed: Early-stage protocols need fast response to vulnerabilities
Whale manipulation: Token voting without safeguards enables hostile governance takeovers
Flash-loan attacks: Without lock-weighted voting, attackers can borrow tokens to swing votes
Community maturity: DAO governance requires an engaged, informed token holder base
Iterative decentralization: Gradual transition builds trust and battle-tests each layer

Capability Comparison

Each governance model unlocks different capabilities:

Capability	Admin+Timelock (now)	Multisig (next)	Full DAO (future)
Fee Rate Changes	Owner only	3/5 signers	Community vote
Guardian Updates	Owner only	3/5 signers	Community vote
Emergency Cancel	Guardian	Any signer	Guardian + vote
Delay Changes	Self-governance	Self-governance	Community vote
Builder Onboarding	Team decision	Multisig vote	Community proposal
Token Voting	Not available	Not available	Lock-weighted

Builder Voting Rights (DAO Phase)

In the DAO phase, voting power will be derived from locked IFR balances (via IFRLock), not freely tradable tokens. This prevents flash-loan governance attacks. Builder tokens earned through the PartnerVault also grant voting rights, ensuring that governance influence reflects real ecosystem contribution.

Security > Speed: Every governance transition is irreversible. We will only move to the next phase when the current model has been battle-tested and the community is ready. There is no timeline pressure.

13. PartnerVault Governance Features

The PartnerVault contract introduces additional governance-controlled mechanisms beyond basic parameter changes.

AuthorizedCaller Whitelist

By default, only the admin (Governance Timelock) can call recordLockReward(). To enable automated reward recording, governance can whitelist backend wallets via setAuthorizedCaller(address, true). These callers can record lock rewards but cannot change any other parameters.

Algorithmic Emission Throttle

When setIFRLock(address) is configured, the effective reward rate scales down automatically as more IFR is locked globally:

Lock ratio < 1% → full rewardBps
Lock ratio ≥ 50% → MIN_REWARD_BPS (500 = 5%)
Between 1%–50% → linear interpolation

This prevents pool exhaustion in high-adoption scenarios while maintaining attractive rewards during early growth.

Anti-Double-Count

Each (wallet, partnerId) pair can only be rewarded once, enforced by the walletRewardClaimed mapping. This prevents gaming via repeated lock/unlock cycles.

14. Governance Dashboard

A read-only React dashboard for on-chain governance monitoring is available at apps/governance-dashboard/. Run locally:

cd apps/governance-dashboard && npm run dev

Tabs: Overview (PartnerVault stats, algo throttle curve) • Builders (event-based table) • Timelock Queue (proposals with countdown) • Calldata Generator (encode governance calls).

Governance Constitution: Hard bounds, roles, upgrade path, and transparency rules are documented in GOVERNANCE_CONSTITUTION.md.

12. Phase 4 — Full DAO Roadmap

Prerequisites for Phase 4

Minimum 6 months of mainnet operation
Minimum 1,000 active IFR lockers
Security audit completed
Governance Constitution ratified

Token-Voting Mechanism

In full DAO mode, IFR lockers vote on proposals. Voting power = locked IFR amount (not wallet balance).

Parameter	Value
Quorum	10% of total locked IFR
Voting Period	7 days
Timelock	48h (unchanged)
Proposal Threshold	10,000 IFR locked

Telegram DAO Layer — Topic Access Control (Phase 2)

Gated Telegram topics enforce on-chain lock requirements via WalletConnect verification on ifrunit.tech. Users connect their wallet, sign once, and the bot whitelists their Telegram account — no manual wallet entry required.

Topic	Requirement
Vote	Verified wallet + minimum IFR lock
Council	Verified wallet + higher lock threshold
Core Dev	Restricted to Gnosis Safe signers

Roadmap

Milestone	ETA	Status
Phase 0: Single EOA	Jan 2026	Completed
Phase 1: 2-of-4 Multisig	14 Mar 2026	Completed
Phase 2: 3-of-5 Multisig	15 Mar 2026	Active ✅
Phase 3: 4-of-7 Multisig	Q1 2027	Planned
Phase 4: Full DAO	Q2 2027+	Planned

13. Two-Chamber DAO Design (Phase 4)

Note: The two-chamber model described below is the planned Phase 4 architecture. It is not yet deployed. Current governance uses the single-owner Timelock described above.

Overview

IFR governance will transition to a two-chamber model combining strategic oversight (The Council) with community innovation (The Forum). Both chambers anchor votes on-chain and share the same 48h Timelock for execution.

⚖️ Chamber 1: The Council

Strategic governance for core team. Merkle-tree anchored votes. On-chain verified via RatVoting.sol.

Gnosis Safe Signers only
Protocol parameters + upgrades
48h Timelock on execution

🏛️ Chamber 2: The Forum

Community innovation layer. Token-weighted proposals. Spam protection via IFRSpamProtection.sol.

Any IFR holder (1 lock = 1 vote)
10 IFR spam protection per proposal
Top proposals → on-chain execution

Interaction Matrix

Action	The Council	The Forum
Submit Proposal	Signer only	Any IFR holder (10 IFR fee)
Vote	Signer (signature)	Any IFR holder (1 lock = 1 vote)
Execute	Permissionless after Timelock	Permissionless after consensus
Cancel	Guardian role	Downvote > 50%
Fee	None	10 IFR (refunded if successful)

Smart Contracts (Phase 4)

Contract	Purpose	Status
`RatVoting.sol`	Team governance, Merkle tree, on-chain anchoring	Planned
`ForumVoting.sol`	Community voting, ecrecover signatures	Planned
`IFRSpamProtection.sol`	10 IFR per proposal, deflationary burn	Planned

Participating in Governance

Step 0 — Verify Your Wallet

Before participating, link your wallet to your Telegram account. This proves token ownership without sharing your private key.

🔐 Verify Wallet →

Required for: Vote topic access, proposal submission, governance voting

Telegram Bot Commands

All governance interactions happen via the IFR Telegram Bot in @IFR Community. No gas required for voting — only for on-chain execution.

Command	Chamber	Who	Description
/verify	—	Everyone	Link wallet to Telegram account
/mystatus	—	Everyone	Show wallet tier and topic access
/proposals	Both	Everyone	List active governance proposals
/propose "title"	The Forum	IFR Holders	Submit proposal (10 IFR spam protection)
/vote [id] [yes/no]	The Forum	IFR Holders	Vote via cryptographic signature — no gas
/result [id]	Both	Everyone	Show result + on-chain TX if executed
/ratpropose "title"	The Council	Signers only	Strategic proposal (no fee)
/ratvote [id] [yes/no]	The Council	Signers only	Signer vote — Merkle tree anchored

Note: /propose, /vote, /ratpropose, /ratvote are Phase 4 commands — not yet active. /verify and /mystatus are live now.

Topic Access Requirements

Topic	Requirement	How to qualify
⚖️ Core Dev	Gnosis Safe Signer	Added by governance as Safe owner
⚖️ Council	Gnosis Safe Signer	Same as Core Dev
🗳️ Vote	Any locked IFR > 0	Lock IFR → then /verify
🔨 Dev & Builder	Registered Builder	Apply as Builder → then /verify