Governance

Timelock-based on-chain governance for the Inferno token — proposals, roles, parameter changes, and emergency controls.

1. Overview

The Governance contract is a timelock governor that controls the InfernoToken contract. After transferOwnership() was called, ALL token parameter changes must go through Governance — there is no backdoor.

Mandatory delay between proposal creation and execution (default: 48 hours)
Guardian role can emergency-cancel proposals at any time before execution
Self-governing: even the timelock delay itself can only be changed through a proposal
Fully transparent — every proposal and execution is an on-chain event

Contract: 0x6050b22E4EAF3f414d1155fBaF30B868E0107017 — View on Etherscan (Sepolia)

2. Timelock Mechanics

Every proposal is subject to a mandatory delay before it can be executed. This gives the community time to review and, if necessary, raise concerns.

Parameter	Value	Notes
`MIN_DELAY`	1 hour (3,600s)	Absolute minimum — hardcoded, cannot be lowered
`MAX_DELAY`	30 days (2,592,000s)	Absolute maximum — hardcoded
`delay` (current)	48 hours (172,800s)	Default value, changeable via self-governance

When a proposal is created, its ETA (Earliest Time of Arrival) is set to block.timestamp + delay. The proposal cannot be executed before this timestamp.

Important: Changing the delay itself must go through the timelock. This prevents an attacker from reducing the delay to zero and immediately executing a malicious proposal. See Section 9: Self-Governance for details.

3. Proposal Lifecycle

Every governance action follows the same lifecycle. Below is the visual flow:

propose(target, data)

→

Pending
eta = now + 48h

→

wait for ETA...

→

Executable

→

execute(proposalId)

→

Executed

Alternative path (any time before execution):

→

cancel(proposalId)

→

Cancelled

Pending

Executable

Executed

Cancelled

States Explained

Pending — Proposal has been created but ETA has not been reached. Cannot be executed yet.
Executable — ETA has passed. The owner can call execute() to carry out the proposal.
Executed — The target function has been called successfully. This is a terminal state.
Cancelled — The proposal was cancelled by the owner or guardian before execution. Terminal state.

4. Roles

The Governance contract defines three distinct roles with clearly separated permissions:

Role	Permissions	Current Holder
Owner	`propose`, `execute`, `cancel`, `setGuardian`, `setOwner`	Deployer 0x5Ecc668eab04C5bee81b5c7242e1077c946dE406
Guardian	`cancel` only (emergency) Cannot propose or execute	Deployer 0x5Ecc668eab04C5bee81b5c7242e1077c946dE406
Self (Governance contract)	`setDelay` (only via its own timelock)	Governance 0x6050b22E4EAF3f414d1155fBaF30B868E0107017

Note: On mainnet, the Owner and Guardian roles will be transferred to a Gnosis Safe multisig for additional security.

5. What Parameters Can Be Changed

The following functions on InfernoToken (and Governance itself) can only be called through the governance timelock:

Function	Description	Constraints
`InfernoToken.setFeeRates(senderBurnBps, recipientBurnBps, poolFeeBps)`	Change the fee rates for transfers	Total must not exceed 5% (500 bps)
`InfernoToken.setFeeExempt(address, bool)`	Add or remove fee exemptions for specific addresses	—
`InfernoToken.setPoolFeeReceiver(address)`	Change the address that receives pool fees	Cannot be zero address
`Governance.setDelay(uint256)`	Change the timelock delay	Self-governance only; MIN_DELAY ≤ value ≤ MAX_DELAY

6. Creating a Proposal

Use ethers.js (v5) to create a governance proposal. The propose() function takes the target contract address and the encoded calldata:

// Example: Change fee rates to 1.5% sender burn + 0.5% recipient burn + 1% pool fee
const governance = new ethers.Contract(GOV_ADDRESS, GOV_ABI, signer);

// Encode the function call
const iface = new ethers.utils.Interface([
  "function setFeeRates(uint256,uint256,uint256)"
]);
const calldata = iface.encodeFunctionData("setFeeRates", [150, 50, 100]);

// Submit the proposal
const tx = await governance.propose(TOKEN_ADDRESS, calldata);
const receipt = await tx.wait();

// Get the proposal ID from the event
const event = receipt.events.find(e => e.event === "ProposalCreated");
console.log("Proposal ID:", event.args.proposalId.toString());
console.log("ETA:", new Date(event.args.eta.toNumber() * 1000));

Tip: The proposal ID is emitted in the ProposalCreated event. Store it — you will need it to execute or cancel the proposal later.

7. Executing a Proposal

After the 48-hour delay has passed, the owner can execute the proposal:

// After 48h delay has passed
const tx = await governance.execute(proposalId);
const receipt = await tx.wait();

console.log("Proposal executed in block:", receipt.blockNumber);
// The target function (e.g., setFeeRates) has now been called

If you try to execute before the ETA, the transaction will revert with "Governance: too early".

8. Guardian Emergency Cancel

The Guardian role exists as a safety mechanism. A guardian can cancel any pending proposal instantly, without waiting for the timelock delay.

Designed for emergency response (e.g., a malicious proposal is detected)
The guardian cannot propose or execute — only cancel
Cannot undo an already-executed proposal (execution is permanent on-chain)
The owner can also cancel proposals (they have a superset of permissions)

// Guardian cancels a suspicious proposal
const guardianGovernance = governance.connect(guardianSigner);
const tx = await guardianGovernance.cancel(proposalId);
await tx.wait();

console.log("Proposal", proposalId, "cancelled by guardian");

9. Self-Governance

The setDelay() function has the onlySelf modifier, meaning it can only be called by the Governance contract itself. No external account — not even the owner — can call it directly.

How to Change the Delay

Propose a call where the target is the Governance contract itself and the calldata encodes setDelay(newDelay)
Wait for the current delay to elapse (48h by default)
Execute the proposal — the Governance contract calls itself

// Example: Change delay from 48h to 72h (259200 seconds)
const iface = new ethers.utils.Interface(["function setDelay(uint256)"]);
const calldata = iface.encodeFunctionData("setDelay", [259200]);

// Target is the Governance contract itself
const tx = await governance.propose(GOV_ADDRESS, calldata);
await tx.wait();

// ... wait 48 hours ...

await governance.execute(proposalId);

Security: This design prevents "instant delay reduction" attacks. An attacker who gains owner access cannot reduce the delay to zero and then immediately execute a malicious proposal — they must still wait for the current delay to pass, giving the guardian time to cancel.

10. Historical Proposals (Sepolia)

Below are the governance proposals that have been submitted on the Sepolia testnet deployment:

ID	Action	Status	Details
#0	`setFeeExempt(0xA4A1ea...6A36f90, true)`	Executed	Executed 2026-02-20 Target: InfernoToken — Fee exemption for DEX Router Proposed by: Deployer (`0x5Ecc...dE406`) TX: 0x13ff46d8...
#1	`setFeeExempt(0x0Cab0A...36675d3, true)`	Executed	Executed 2026-02-22 Target: InfernoToken — Fee exemption for IFRLock (required for unlock()) Proposed by: Deployer (`0x5Ecc...dE406`) TX: 0x211b7949...4253a909
#2	`setFeeExempt(0x6EF04c...7AF090, true)`	Cancelled	Cancelled via Guardian Target: InfernoToken — Fee exemption for PartnerVault v1 (deprecated) Reason: PartnerVault v1 replaced by v2 with upgraded features TX: 0xaa829332...
#3	`setFeeExempt(0x5F12...490A39, true)`	Executed	Executed: 2026-02-26 09:44 CET Target: InfernoToken — Fee exemption for PartnerVault v2 1.4M IFR top-up completed — PartnerVault now 40M IFR TX: `0x3f28690a04345700cc847bb495efc7bf50c98456be3d10ebf3926237f57de6e8`
#4	`transferOwnership(Governance)`	Cancelled	Target: LiquidityReserve (v1) — immutable owner, cannot transfer. v2 redeployed instead.
#5	`transferOwnership(Governance)`	Cancelled	Target: BuybackVault (v1) — immutable owner, cannot transfer. v2 redeployed instead.
#6	`transferOwnership(Governance)`	Cancelled	Target: BurnReserve (v1) — immutable owner, cannot transfer. v2 redeployed instead.
#7	`setFeeExempt(0x3447...1957, true)`	Executed	Executed: 2026-03-02 Target: InfernoToken — Fee exemption for LiquidityReserve v2 TX: `0x7b54a77571fdcdd0961f100e45cc53621360cfacc80d8fdb8fe161e7937c8a25`
#8	`setFeeExempt(0x2E61...b68c, true)`	Executed	Executed: 2026-03-02 Target: InfernoToken — Fee exemption for BuybackVault v2 TX: `0xd43d40aa9dd88c3277c0272fc823fcc7445e2b7204d11e49f58c3bda997e686e`
#9	`setFeeExempt(0xB9Fb...D75, true)`	Executed	Executed: 2026-03-02 Target: InfernoToken — Fee exemption for BurnReserve v2 TX: `0x9d51bf49d8727c46db0491cedcb60a98979d94f4699623798189454dfb48bc18`

Why was Proposal #2 cancelled? PartnerVault v1 was replaced by v2 (added authorizedCaller whitelist, anti-double-count mapping, and algorithmic emission throttle). Proposal #2 targeted the old v1 address and was cancelled via Guardian. Proposal #3 was created for the new PartnerVault v2 address (0x5F12...490A39).

Governance Learnings (Sepolia)

Contract upgrades invalidate pending proposals. When PartnerVault v1 was replaced by v2, Proposal #2 became obsolete. Always cancel outdated proposals before creating new ones for the replacement address.
Guardian cancel is faster than waiting. Instead of waiting 48h for an outdated proposal to expire, the Guardian can cancel immediately. This prevents accidental execution of proposals targeting deprecated contracts.
feeExempt must be set before funding. Transferring 40M IFR to PartnerVault v1 before setting feeExempt resulted in a 1.4M IFR fee deduction. On mainnet: always set feeExempt first, fund second.
Include version info in proposal descriptions. On-chain proposals have no description field — document the target contract version off-chain (GitHub Issue, wiki, CHANGELOG) to avoid confusion between v1/v2 addresses.
48h delay is sufficient for testnet operations. The delay provides enough time for review while not blocking rapid iteration. For mainnet, consider increasing to 72h for critical parameter changes.

11. Current Governance Model

Inferno currently operates under an Admin + Timelock governance model. This is a deliberate choice for the early phase of the protocol.

Property	Current State
Model	Single Admin + 48h Timelock
Token Voting	No — not implemented yet
DAO	No — planned for future phase
Who can propose	Owner (deployer EOA) only
Safety mechanism	Guardian can cancel any pending proposal
Transparency	All proposals and executions are on-chain events with 48h public review window

Important: Inferno is not a DAO today. The current governance is admin-controlled with a mandatory timelock. This is intentional — see below for the rationale and roadmap.

12. Future: Governance Roadmap

Governance will evolve in clearly defined phases, each building on the trust and battle-testing of the previous one:

Current
Admin + Timelock

→

Next
Multisig Governance

→

Future
Full DAO

Current: Admin + Timelock — Single owner with 48h mandatory delay. Guardian safety net. Fast iteration, security-first approach.
Next: Multisig Governance — Gnosis Safe multisig replaces single owner. Multiple signers required for proposals. Same timelock protection.
Future: Full DAO — Lock-weighted voting (IFRLock balances as voting power). Community proposals. On-chain quorum requirements. Partner tokens grant additional voting rights.

Why Not DAO from Day One?

Security over speed: Early-stage protocols need fast response to vulnerabilities
Whale manipulation: Token voting without safeguards enables hostile governance takeovers
Flash-loan attacks: Without lock-weighted voting, attackers can borrow tokens to swing votes
Community maturity: DAO governance requires an engaged, informed token holder base
Iterative decentralization: Gradual transition builds trust and battle-tests each layer

Capability Comparison

Each governance model unlocks different capabilities:

Capability	Admin+Timelock (now)	Multisig (next)	Full DAO (future)
Fee Rate Changes	Owner only	3/5 signers	Community vote
Guardian Updates	Owner only	3/5 signers	Community vote
Emergency Cancel	Guardian	Any signer	Guardian + vote
Delay Changes	Self-governance	Self-governance	Community vote
Partner Onboarding	Team decision	Multisig vote	Community proposal
Token Voting	Not available	Not available	Lock-weighted

Partner Voting Rights (DAO Phase)

In the DAO phase, voting power will be derived from locked IFR balances (via IFRLock), not freely tradable tokens. This prevents flash-loan governance attacks. Partner tokens earned through the PartnerVault also grant voting rights, ensuring that governance influence reflects real ecosystem contribution.

Security > Speed: Every governance transition is irreversible. We will only move to the next phase when the current model has been battle-tested and the community is ready. There is no timeline pressure.

13. PartnerVault Governance Features

The PartnerVault contract introduces additional governance-controlled mechanisms beyond basic parameter changes.

AuthorizedCaller Whitelist

By default, only the admin (Governance Timelock) can call recordLockReward(). To enable automated reward recording, governance can whitelist backend wallets via setAuthorizedCaller(address, true). These callers can record lock rewards but cannot change any other parameters.

Algorithmic Emission Throttle

When setIFRLock(address) is configured, the effective reward rate scales down automatically as more IFR is locked globally:

Lock ratio < 1% → full rewardBps
Lock ratio ≥ 50% → MIN_REWARD_BPS (500 = 5%)
Between 1%–50% → linear interpolation

This prevents pool exhaustion in high-adoption scenarios while maintaining attractive rewards during early growth.

Anti-Double-Count

Each (wallet, partnerId) pair can only be rewarded once, enforced by the walletRewardClaimed mapping. This prevents gaming via repeated lock/unlock cycles.

14. Governance Dashboard

A read-only React dashboard for on-chain governance monitoring is available at apps/governance-dashboard/. Run locally:

cd apps/governance-dashboard && npm run dev

Tabs: Overview (PartnerVault stats, algo throttle curve) • Partners (event-based table) • Timelock Queue (proposals with countdown) • Calldata Generator (encode governance calls).

Governance Constitution: Hard bounds, roles, upgrade path, and transparency rules are documented in GOVERNANCE_CONSTITUTION.md.

12. Phase 4 — Full DAO Roadmap

Voraussetzungen für Phase 4

Mindestens 6 Monate Mainnet-Betrieb
Mindestens 1,000 aktive IFR-Locker
Security Audit abgeschlossen
Governance Constitution ratifiziert

Token-Voting Mechanismus

Im Full-DAO-Modus stimmen IFR-Locker über Proposals ab. Voting Power = gesperrte IFR-Menge (nicht Wallet-Balance).

Parameter	Wert
Quorum	10% des total locked IFR
Voting Period	7 Tage
Timelock	48h (unverändert)
Proposal Threshold	10,000 IFR locked

Roadmap

Meilenstein	ETA	Status
Phase 0: Single EOA	Jan 2026	Aktiv
Phase 1: 2-of-3 Multisig	Q3 2026	Geplant
Phase 2: 3-of-5 Multisig	Q4 2026	Geplant
Phase 3: 4-of-7 Multisig	Q1 2027	Geplant
Phase 4: Full DAO	Q2 2027+	Geplant