As part of its Minimized Governance framework, the eBTC protocol utilizes two timelock contracts to ensure a secure, transparent and structured approach to most governance changes: the High Security Timelock and the Low Security Timelock.

Both timelock contracts are based on OpenZeppelin's TimelockController, a trusted and widely used contract in DeFi. This choice underscores the commitment to using robust and secure solutions for critical governance functions.

Each Timelock will be “owned” by itself. This means that any changes to its permissions and delay time must go through a time-locked transaction, ensuring a layer of built-in security and transparency.

A key feature of this timelock is its built-in veto capability, allowing specific transactions to be canceled before their execution is enabled. Initially, eBTC will not designate any veto power. However, the plan is to gradually identify and incorporate a group of esteemed figures from the industry and security community to serve as guardians, leveraging this vetoing function to maintain the integrity and safety of the platform.

This timelock has a longer delay period of 7 days, and is used for changes that have a significant impact on the protocol's security, stability. It is controlled by the HighSec TechOps multisig which has a 4/7 threshold and is made up of the core development team and back-up signers from BALCO, ensuring that major decisions are made with due diligence and the highest security.

With a shorter delay of 2 days, this timelock is intended for more routine or less critical updates. It allows the protocol to remain agile and responsive to the needs of the ecosystem without compromising on security. It is controlled by the LowSec TechOps multisig, made up of the same signers as its HighSec but with a 3/7 threshold in favor of a higher agility.

Notably, the capability to pause redemptions and flashloans is directly controlled by the TechOps multisigs, bypassing the timelock mechanism. This design choice is based on the need for quick action in the event of detected vulnerabilities, emphasizing the protocol’s commitment to security and user protection.

A new multisig, called the Fee Recipient multisig and made up of Badger Treasury signers, will be the only one, besides the Timelocks, allowed to call the fee collection function. This is only a precautionary measure and may change since the transfer of fees uses a hardcoded path to the fee recipient so, in theory, calling this function could be safely made permissionless in the future.

There are different useful tools in place to ensure that every stakeholder has access to real-time information and the ability to engage with the governance process. Learn more about them here.