An emergency recovery mechanism for the governance contract is included as a fallback in case something goes wrong with the governance contracts and they are no longer usable (e.g, if they are bricked because of a smart contract bug or incorrect parameterization change).
The emergency recovery mechanism is composed of a backup multisig combined with an optimistic approval mechanism and various safeguards as implemented in EmergencyRecovery.
The emergency recovery mechanism has the following properties:
- Multisig signers are assigned by governance and can be changed at any time
- The multisig can initiate an upgrade to the governance contract subject to a timelock
- (Optimistic approval) during the timelock, governance can vote to override the upgrade
- Emergency recovery has a sunset built in, which can optionally be extended by governance