Linking the two previous discussion threads for context:
This vote comes down to comparing the risk of permissionless cosmwasm to causing a potential security issue when a bug is discovered and not fixed immediately vs the barrier that permissioned cosmwasm causes to development.
In my view, the barrier is incredibly low since Osmosis has never rejected an upload key to a team that went to the chain to ask for one, but there is a barrier that may deter casual developers from deploying.
Conversely, the risk is far greater despite permissionless upload being available on the mentioned chains. Cosmos has just had the IBC hooks bug that was enabled by Terra having permissionless upload enabled.
The next step of the process was to upload the malicious contract used to manipulate the IBC timeouts as
code id 3114and then subsequently instantiate the contract two times.
Terra IBC Hooks Exploit Analysis - Range Security
There was also a high severity patch for CosmWasm in January of this year that was specifically called out to only impact Permissionless chains and required urgent upgrades on all other chains:
There is a time for Permissionless CosmWasm, but that comes after:
- There have been no high-severity instances for much longer
- We have more precise rate limiting implemented to control the risk
An alternative solution may be to authorize a subDAO to allocate these upload keys rather than relying entirely on governance. This would make the barrier to upload almost non-existent for anyone who can prove that they are working on a viable project and shorten the cycle time for getting this upload key—although an 8-day delay on deployment doesn’t seem excessive since it is one-time only.