June 23, 2021 · 8 min read

Deep dive into decentralized governance - DAO

While DeFi has demonstrated extraordinary innovation, it is still a very new industry and risks abound. About $120 million worth of assets were stolen from DeFi platforms in 2020. 

This week at Novum Insights, we look at DeFi governance. We take a look at Decentralised Autonomous Organisations (DAOs), the infamous DAO hack, explain how DAO governance is commonly executed and some of the vulnerabilities, and look at some of the improvements that projects are working on.

Why Does DAO Governance Matter in DeFi?

Decentralised Autonomous Organisations (DAOs) are “non-hierarchical organizations that perform and record routine tasks on a peer-to-peer, cryptographically secure, public network, and rely on the voluntary contributions of their internal stakeholders to operate, manage, and evolve the organization through a democratic consultation process”. DAOs are in common use for DeFi and conservatively oversee more than $543 million. DeFi DAOs help users transfer cryptocurrencies across different blockchains, and serve popular DeFi use cases such as crypto lending or yield farming.

DAOs are open-source, thus transparent and, in theory, incorruptible but depending on the governance rules, there are different levels of decentralization. While the network might be geographically decentralized, and have many independent but equal network actors, the governance rules written in the smart contract or blockchain protocol will always be a point of centralization and loss of direct autonomy. DAOs can be architecturally decentralized (independent actors run different nodes), and are geographically decentralized (subject to different jurisdictions), but they are logically centralized (the protocol). 

DAOs have both internal and external governance components. Internal governance is characterized by non-hierarchical modes of governance and has quasi-democratic features. The external governance is the reliance on clusters of servers and individual nodes for the functioning of the network and decision-making. Notably, those who control nodes and server capacity can exert undue influence on decision-making, and in a stronger way than other actors. 

Robbie Morrison et al. summarise key features and risks of DAOs. These are (1) there are no trusted human executives since the organization is governed and operated by smart contracts, (2) the smart contracts which form their governance are written and executed as computer code, (3) monitoring and enforcement of smart contracts are likewise by computer algorithms, (4) there are weak or non-existent mechanisms for dispute resolution as the code both governs and executes.

The best known failure of DAO governance demonstrated how formative and vulnerable DAO governance can be. Launched in 2016 on the Ethereum blockchain, the DAO was a decentralized autonomous organization intended to act as a venture capital firm governed by the investors of the DAO. After having raised 12.7 million Ether (worth $150 million at that time), the DAO project was hacked and $60 million worth of Ether was drained due to a loophole found in the code base. The Ethereum community decided to hard fork to restore the stolen funds.

In the case of The DAO hack, a smart contract both granted investors voting rights according to their level of investment and decisions regarding the distribution and management of its $150 million dollar fund, risk, residual claims, voting rights, and voting itself, was achieved through the consensus of the investing community. However, their priorities and values did not align and there were no contingencies to define, manage, or control these conflicts. Since the decision-making structure was implemented and managed solely by the code, the DAO left the entirety of its governance operations to an algorithm which became The DAO's sole governance mechanism. It operated as it was instructed and according to previously-agreed rules. This attack concerned a clever exploitation of TheDAO’s blockchain-encoded smart contract

This experience raises legitimate questions about whether someone should be accountable in DAOs and how details of governance, legalities, ethicalities, and the logic flaws in the code are corrected and the liability for losses. In a DAO IT governance and corporate governance are one and the same. 

Below we map out platforms that develop DAO frameworks in order to help companies facilitate decentralized governance. We look at Aragon, Moloch, DAOstack, OpenLaw and projects using their frameworks.


Source: Novum Insights

Aragon has achieved the most extensive ecosystem and mindshare. More than 1700 organizations leveraged Aragon’s technology and more than $400 million is overseen according to DeepDAO. High-profile projects including Aave, Curve and Pillar use Aragon to coordinate towards a shared goal. 

The structure of DAOs is popular especially among collaborative asset management projects. Barnbridge, derivatives protocol, dHedge, DeFi hedge fund, and PieDAO, decentralized asset manager, use the DAO structure to lay the foundation for products and strategies. 

Moloch is created to manage grants to Ethereum projects. A proposal is required to join for the membership. The most successful project using MolochDAO is a venture DAO MetaCartel. MetaCartel made investments in Zapper Finance, PoolTogether, Opium, Rarible, xDai and more. 

DAOstack oversees about $54 million and the projects using DAOstack’s framework include Gnosis, PrimeDAO and DXdao. DXdao governs projects such as Omen, prediction market and Swapr, AMM. PrimeDAO’s PRIME pool governs liquidity pools on Balancer. 

OpenLaw oversees more than $40 million and its projects include The LAO and FlamingoDAO. The LAO made investments in Zerion, DeFi investment platform, Fei Protocol, algorithmic stablecoin project, DeBank, wallet that tracks the DeFi markets, Charged Particles, interest-bearing NFT project, Idle finance, yield protocol and more. FlamingoDAO focuses on pooled investments in the NFT space. 

The key blockchain-based governance tools are:

  1. Tokenization: the process of transforming the rights to perform an action on an asset into a transferable data element, a token, on the blockchain.

  2. Self-enforcement and formalization of rules: the process of embedding organizational rules in the form of smart contracts.

  3. Autonomous automatization: the process of defining complex sets of smart contracts as DAOs, which may enable multiple parties to interact with each other, even without human interaction. 

  4. Decentralization of power over the infrastructure: the ownership and control of the technological tools employed by the community through the decentralization of the infrastructure they rely on, such as the collaboration platforms (and their servers) employed for coordination.

  5. Increasing transparency: the process of opening the organizational processes and the associated data by relying on the persistence and immutability properties of blockchain technologies.

  6. Codification of trust: codifying a certain degree of trust into systems which facilitate agreements between agents without requiring a third party.

Governance in decentralized systems can be compromised because most  DAOs raise money in one way or another and in return, investors get back governance tokens. This creates a high degree of centralization at the start of token distribution. Users see tokens as yield, not voting rights, leading to a very individualist approach to collaboration. Furthermore, there are no minimum numbers for  participation in order to kickstart the governance. In order for a system to be considered sufficiently decentralized, there needs to be a high minimum number of token holders/participants. In many DeFi projects, these economic incentives are offered for providing liquidity, via governance tokens, and encourage competitive and speculative behavior which leads back to a centralized governance structure, since tokens slowly concentrate in a few hands. 

Why is this a problem? Projects can become vulnerable to attacks because of excessive centralization and parties with conflict of interest can push through proposals, and activist investors can acquire a significant enough amount of governance tokens to help push through proposals profitable to them. 

Vulnerabilities of DAOs also lie in the automation. The organization is governed and operated by smart contracts, the smart contracts which form the governance are written and executed as computer code. The monitoring and enforcement of smart contracts are by computer algorithms, and there are weak or non-existent mechanisms for dispute resolution, since the “code is law,” and all participants have agreed in advance to abide by the code of the smart contract.  

More mature voting alternatives are slowly emerging. Some possible  improvements to DAO governance have been proposed such as: 

  • Releasing smart contracts in stages. 

  • Certification processes and review processes. 

  • Multiple security audits from respected institutions in combination with formal verification programs for smart contracts. 

  • Designing the DAO such that it can be stopped. 

  • Barriers to DAO entry can help ensure the success of on-chain governance, such as with permissioned blockchains or community guidelines.

Many DAOs are experimenting with novel governance structures. The legal status of a DAO is also a grey area, as nobody owns the organization, who can be sued and who sues or in the case of liquidating a tangible asset owned by the DAO, what rules are to be followed? 

DeFi is still in its infancy as an industry and the concept of DAOs is still relatively young, so we will continue to see a greater number of players entering the market and making improvements. As with all emerging and unregulated technologies, DeFi continues to be a case for  “caveat emptor”.