One year ago, we wrote in the State of Discretion and Governance in Ampleforth about two emergency governance-only functions: setRebasePaused and setTokenPaused. These were meant to facilitate the launch process and guard users against unexpected, adverse situations. We described their behavior and also our desire to eventually remove them.

We view both of these emergency switches as options of last resort and hope they never have to be enabled. We felt it was most responsible to launch with these in place, especially in the early days when the system was new and proving its worth in an adversarial environment.
...
Going forward, as the system becomes more mature, we’d like to disable or remove these two abilities altogether.

Today, we're making good on this promise. Starting with conversations with the community, then continuing through the proposal and development process in RFC-3, and finally deployment, we're happy to announce there are no longer any pause abilities in the protocol contracts.

Motivation

As long as functions of this type exist, the Ampleforth Protocol would be open to misuse by whoever controls the governance key. This is currently a 2-of-n multisig wallet controlled by the geographically distributed development team.

As Ampleforth governance evolves, we'd like to keep its surface area as small as possible. We believe the best solution to governance is to not require it in the first place. This avoids both coordination risk and technical risk. The ideal goal is zero governance.

Pausability also makes it more difficult for outside platforms to integrate with AMPL. Not every platform is willing (or able) to implement logic that safely handles failed transfers or maliciously paused tokens. If left in place, this may have hampered AMPL's ability to support the wider financial ecosystem.

Going Forward

As always, if you're interested in becoming more involved with the evolution of Ampleforth, please reach out here in the forums or through Discord.