A dive into various DAO structures and their vulnerabilities, and explores how decentralized organizations will continue to evolve over time.
Decentralized Autonomous Organizations
The essence of human organizations may be boiled down to a set of properties and protocols for a group of individuals with particular conditions for interactions. These groups can be generalized into various classes depending on the context. A traditional corporation, for example, may be divided into customers, employees, and investors. Customers have an “open membership,” which allows them to interact freely with the corporation; employees are hired by an investor or another employee authorized to do so; and an investor holds partial ownership of the corporation’s assets.
A decentralized organization (DO) takes the concept of an organization and aims to eliminate its central points of failure. Some elements of social and legal systems are replaced by protocol code, which is typically enforced by an immutable blockchain. Using a blockchain offers higher levels of transparency, reduces bureaucracy, and minimizes the existing principal-agent dilemmas of organizations — including subsequent moral hazards, i.e. agents not acting in the best interest of a client on a trade, sale, or decision. Uniswap serves as an excellent example of a decentralized organization, as it offers a constant product — an automated market maker (AMM), which enables the trading of blockchain tokens without relying on market makers, bids, or asks.
Conceptually, a DAO is often described as an entity on the internet that operates autonomously but relies on individuals to perform specific tasks that the automaton cannot do itself. Before we define a DAO, let’s define DOs, automated agents (AA/AI), and decentralized applications (DA).
The most prominent difference between DAs and DAOs is that DAOs have internal capital that functions as valuable internal property, thus enabling it to reward certain tasks. The main difference between a DO and a DAO is the emphasis on automation. While a DO requires humans to make decisions directly, a DAO can in theory rely more on automated decisions, with a set of actors controlling the information used to inform those decisions.
Both DOs and DAOs are vulnerable to collusion attacks. However, within a DAO they are often seen as a bug, whereas in DOs they can be a feature. In DOs, social consensus typically lends legitimacy to the decision-making process.
To distinguish between DAOs and automated agents, note that while a DAO still requires humans to perform vital actions in order to operate, AA/AIs operate with complete autonomy. A quadrant chart is a brilliant way to visualize this.
Decentralized Structures
The founding team and the community are the two primary actors within a DAO. Once formed, a DAO operates through governance and implementation.
Governance is the process of overseeing the lifecycle of a change, often through on-chain or off-chain voting. Implementation is the action that must be taken to follow through with a change in the project. Different organizational structures, methods of consensus, and delegations of responsibilities have a meaningful impact on how DAOs effect change through these processes.
The structures of various DAOs differ greatly from one another, so it can be useful to divide them into decentralization categories such as coreDAOs, govDAOs, and pseudoDAOs.
- CoreDAOs feature weak team control, and often rely upon the entire community when implementing project/protocol changes. CoreDAOs often have well-structured and well-defined working groups and pipelines.
- GovDAOs feature moderate team control — often with immutable governance — and are most often seen in vote-escrowed (ve) token models. GovDAOs typically implement changes through a combination of team members and automation.
- PseudoDAOs feature a high degree of team control, centralization, and mutable governance. Usually controlled by a core team, pseudoDAOs tend to be relatively immutable projects, without much governance or participation.
These categories occupy a spectrum, with a sliding scale that may change over time.
Many projects rush to implement DAO mechanics, but it’s better to skip this process than to form a pseudoDAO simply for the sake of decentralization. Although it may be easily justifiable early in a project’s development, it often negatively impacts longevity. Users tend to favor composability when evaluating projects or protocols, and hastily formed pseudoDAOs serve as a warning sign. The objective should be to observe and learn from mature projects and iterate on their design.
Keep in mind that there’s a balancing act between building out a product offering and maintaining productive output (or a first-mover advantage). It would be wrong to assume that all pseudoDAOs fail, are abandoned, or are malicious. Governance is not a hard-and-fast requirement for a project, and there is nothing inherently wrong with pseudoDAOs — the structure may serve as a great starting point for a project before it evolves into a more coherent organization.
Due to their more defined governance structure, govDAOs often feature a form of vote-escrow token. CurveDAO’s ve time-weighted locking model is a prime example. Before this mechanism was implemented, many liquidity providers (LPs) would stake their assets to maximize their rewards via the native token and then dump and drain liquidity, thus becoming “mercenary capital” or “liquidity locusts.”
With the popularization of Curve’s ve model, users became incentivized to be long-term participants in order to receive rewards, direct LP gauge emissions, and participate in governance — thus increasing the inherent value of their token and attempting to align power and responsibility.
Voteable gauges enable stakeholders to incentivize liquidity in three ways:
- Buying governance votes.
- A proxy protocol that controls governance (i.e., Convex).
- Through bribing voters (i.e., Votium).
Therefore, the govDAO governance system primarily revolves around incentivizing and renting liquidity through voting power for financial gain. Many projects are currently bundling governance with an economic interest in order to attract capital; however, this structure has downsides. Bundling may reduce the number of governing parties, increasing the risk of centralization, collusion, and coercion.
The development of govDAOs’ pervasive incentives brings to mind the cobra effect. During the era of the British Raj, there was a cobra overpopulation problem. To attempt to decrease the population, authorities offered a bounty for each cobra caught. Capitalizing on this opportunity, citizens began to breed cobras in order to claim rewards. Upon realizing this, authorities banned the breeding of cobras. However, this had an unintended effect: many citizens released their bred cobras into the wild, and the cobra population increased dramatically — the opposite of the original intended effect. Perhaps it would’ve been better for the government to solve this problem themselves rather than outsource to mercenaries.
Due to current prevailing governance structures and ecosystems, govDAOs are more prone to superficial decentralization, which is trivial for a few powerful centralized actors to compromise. To review and learn more about governance, its vulnerabilities, and possible future structures, please refer to A Primer on Governance and Decentralization.
CoreDAOs most closely resemble a truly decentralized organization, since the founding team relinquishes control of the governance process and passes it over to the community. MakerDAO is the most notable example of a CoreDAO.
Modeled after Ethereum’s Improvement Proposals (EIPs), MakerDAO’s MIPs allow token holders to vote on decisions, with locked tokens granting a larger vote weight due to the commitment required to lock. Once passed, proposals are finalized on-chain, which further removes the human element from the process.
Each MIP is subjected to a process of discussion and deliberation before being implemented or denied. This process, combined with loosely coupled voting, enables the protocol to adapt to new narratives and goals while the values of the DAO remain unchanged. No individual member holds an excessive amount of power, thus mitigating single points of failure that could arise and bring increased risk of corruption. This was accomplished through MIP39 and the implementation of “Core Units.”
Core Units assume the responsibilities that would be seen in traditional structures, such as Chief Technology Officers (CTOs) and Chief Data Officers (CDOs). Within each Core Unit is a substructure, with facilitators (introduced in MIP41) to oversee each respective unit. Facilitators assume responsibilities requiring a great degree of trust and autonomy. However, their position is not guaranteed, and their power is not absolute. Facilitators may be voted out by token holders if they fail to deliver.
CoreDAOs are not a silver bullet; even Maker faces turbulence. The DAO has struggled to commit to a long-term vision, which is in turn leading to decision paralysis and less informed parties making suboptimal choices. Whether MakerDAO should centralize in order to increase efficiency or slow down and develop a more efficient governance process is up for debate.
DAO Tooling and Operational Legos
Web3 tooling has been built in order to accommodate the need for large-scale human coordination, with the intention to help design and manage incentives that align the relationships between stakeholders in a positive-sum manner.
The challenge of balancing efficiency with decentralization arises during the transition from a centralized organization into a decentralized organization. Often working groups and functional committees form organically. Although the configuration, names, and details of these groups vary, they can be divided into common categories.
To balance the above, DAOs have begun to adopt forms of distributed authority and constrained delegation. This allows token holders to nominate, elect and empower specific individuals and/or groups of active contributors with authority within specific domains. Often individuals with pertinent expertise and intimate contextual knowledge apply or are actively recruited, and they may perform their jobs autonomously.
In theory, any individual can take the initiative and create proposals or contribute. In practice, barriers often arise in relation to capital, collusion, or tribalism. Ideally, the values, purposes, resource requirements, stakeholders, specific performance metrics, and results of a DAO and its initiatives are transparent in order to create a social layer of accountability.
The web3 organizational tool stack intends to accommodate many-to-many relationships and fluid participation while also encouraging ownership. This way, DAOs may leverage individuals with various skills to fulfill specific tasks. Despite a constantly growing tooling suite, some protocols and projects still struggle to make large coordination efforts and migrate to newer systems. As DAOs vary in needs and purposes regarding their product fit, no one solution will manage them all.
Key DAO tooling can be separated into a few categories:
- Contribution Management allows individual participants to port their identity and reputation across applications and communities, delivering the right opportunities and information to the appropriate parties. It must do this in a way that is quantifiable and adequately incentivized while fostering trust and reputation. Examples include Gitcoin, ENS, Discord, POAP, etc.
- Compensation: Payment distribution infrastructure is vital and becoming more mature. DAOs can stream payments to contributors, distribute in bulk, fund grants, and track payroll. What is less clear is how different types of contributions are rewarded. Current options of compensation tools are varied in use case and functionality and include Gnosis Safe, LlamaPay, Superfluid, Disperse.app, Multis, SourceCred, Coodinape, Opolis, and more.
- Decision-Making: DAOs vary greatly in structure, and mechanisms are constantly evolving. Voting may take the form of tightly coupled on-chain voting, e.g. Aragon or DAOstack. Voting may also be off-chain through loosely coupled voting, e.g. Snapshot, Discord, and Telegram. Note that off-chain voting must be implemented by humans, often via multisig signers. The next generation of governance tools may look to combine off-chain voting with on-chain execution, such as the Gnosis Safesnap module or Zodiac.
Although there is a clear lack of judiciary infrastructure within the space, it is emerging. Additional layers for checks and balances within the DAO may help to hold working groups accountable. Tools such as Kleros, Tally’s SafeGuard, and Aragon Court can function as “courts” to cross check DAO values, verify approved budgets, reclaim funds, and even revoke transactions initiated by a multisig.
- Treasury Management: DAOs live and die by their treasury. DAOs can use tools such as the Moloch Guild Bank and Gnosis Safe (as well as the entire DeFi ecosystem) to diversify, invest, manage risk and generate yield. However, issues of transparency are a serious concern.
- Frontend and Analytics: Infrastructure components such as Etherscan are essential for networks. They allow for the interpretation of network traffic and on-chain activity, and even function as blockchain frontends. Data aggregators and visualization tools that provide insight into DAO spending, governance, etc., are now emerging to serve different needs. Governance frontends such as Tally and Boardroom help communities vote on proposals while displaying voter profiles and governance activity. Viewing voter delegation relationships could provide insight into the social and political dynamics within a DAO. Analytic platforms such as DeepDAO help to visualize governance activity by displaying metrics such as voter participation, member quantity, and treasury holdings.
- Frameworks are suites of smart contracts and interfaces that allow users to operate an on-chain organization. Features include fund management, voting, and membership management. Users can define and configure governance parameters such as voting periods, quorums needed, existing members, and shares (e.g., DAOstack, Aragon, and Moloch).
DAO Vulnerabilities
Protocol governance is complex, and may be divided along two axes: what may be controlled and who has control. Each protocol has a variety of goals, which leads to a diverse array of designs. Some protocols are immutable and change is impossible; others have the option for minimal parameter toggling, while still others may enable the change of an entire contract. Control may rest in the hands of individual users, small groups (multisigs), and/or large groups (token voting). Opportunistic behavior will occur if no mechanisms to check power dynamics and complexity are in place. Furthermore, vulnerabilities can emerge across various levels: individually, at a group level, and/or at a broader ecosystem level.
Governance Extracted Value (GEV) describes a way for entities to maliciously profit from weak governance structures. Due to the lack of a judicial framework as a form of recourse, there is an inherent lack of responsibility and accountability guardrails, allowing bad actors to extract value from governance systems. GEV exploits fall into two broad categories: capital structure exploitation and short-termism.
Capital Structure Exploitation (“The Rug Pull”) involves taking advantage of the governance process in order to steal collateral from the system. These attacks may be subtle or obvious. Examples include:
- Malicious upgrades
- Infinite mining hacks
- Side-lining minority holders
- Vote to rug
Short-termism occurs when governance token holders desire growth regardless of the long-term damage it may cause the system as a whole. Opting for risky decisions in an effort to gain immediate benefits, they may sacrifice potential future stability and sustainable growth.
External Social Vulnerabilities include:
- Regulatory burdens such as the interface from digital to physical space, legal, and tax obligations. Currently, individual DAO members are each responsible for their own local compliance.
- DAO-to-DAO relations.
External Technical Vulnerabilities include:
- Cybersecurity. With a large attack surface area, the DAO must protect infrastructure against technical or social exploits.
- Hacks, multisig wallet management, and Sybil attacks.
Internal Technical Vulnerabilities include:
- Code bugs — for example, “The DAO” hack.
Internal Social Multi-Scale Vulnerabilities include:
- Participation: Balancing the contributions of capital, volunteerism, and labor for productivity.
- Legitimacy: Engaging legitimate leaders (e.g. Vitalik Buterin) to direct the people delivering the protocol. “The key is that humans must deliver code and other outcomes, but those same people cannot control the protocol.” — Kain Warwick of Synthetix
- Capital: Discerning and implementing the most appropriate capital model, including striking a balance between external investment and issuing tokens.
- Token issuance.
- Treasury management: Effectively managing liquidity, including determining when and how much to spend.
- Culture: Building a culture and brand around the DAO.
- Collusion: Inequalities, incentive misalignments, and attacks via coin voting governance may lead to vote-buying.
- Politics.
- Scale: Maintaining clear information and lines of communication as projects scale in community and capital, as well as scaling trust.
- Strategy: Establishing short and long-term objectives, including for productive work and the metrics required to measure “success.”
- Algorithmic automation.
- Human oversight over algorithms.
- Governance design: Placing over-emphasis on voting as governance, while under-emphasizing culture, communication, information management, education, and the political processes that inform decisions on proposals and technical mechanisms.
- Voice and group behavior: Participants may hesitate to express their opinion. They may fear expending valuable political capital, for example, or facing the potential threat of harassment from the opposition.
- Decentralization and transparency: Handling matters that may expose the project to risk, including that which is subject to privacy clauses due to data sensitivity.
- Bureaucracy: Coping with ever-present and increasingly burdensome rules, policies, and processes, including taxes.
- Responsibility, accountability, and recourse: In the absence of clear, necessary institutional rules, systems, and processes in place for long-term sustainable infrastructure, leadership exiting DAOs may use the community as scapegoats.
Vulnerabilities can present opportunities for growth, adaptation, and acquired resilience. Discerning vulnerabilities from opportunities is difficult, as it often depends on the context and how the DAO community responds both technically and socially.
The Future of DAOs
The terminology of “Decentralized Autonomous Corporations” (DAC), coined by Daniel Larimer, may give us a sense of the direction that future iterations may take. The concept of dividends in a DAC exists in the form of shares that are purchasable and tradable, allowing for holders to receive receipts based on the DAC’s success. A DAO is “non-profit,” and although you may make money in a DAO, the means to profit is via participation and not providing investment directly. Although DAOs all contain internal capital that may increase in value alongside the growth of the organization, it would be easy to theorize that many DAOs will inevitably become DACs in some respect.
We may see different iterations of governance and DAO structure in the future that attempt to solve the pitfalls listed above. The idea that governance should not be rewarded for protocol growth, but instead be held responsible if the system is no longer viable, is powerful. Bonus payouts and incentives should be conditionally based on the sustained health of the system. GEV-resistant systems will be critical in the expansion of DeFi and the adoption of dApps.
The Potential of DAOs
Many governance systems are forced to place shared resources into the custody of a few, creating opportunities for bad actors to strike through corruption and collusion to capture an organization’s shared resources for personal gain. This has been the status quo for a long time. Blockchains and smart contracts have enabled new trust models for governance over shared resources through decentralization and cryptography.
There is an ongoing argument about whether or not there is any such thing as a fully decentralized and autonomous organization. While a network may be geographically decentralized and have many independent and equal network actors, the rules of governance coded into smart contracts and blockchains will always be a point of centralization. Although DAOs may be architecturally and geographically decentralized, they are still subjected to logical centralization via a set of experts who understand the intricacies of code.
The critical question for DAOs is: can they feasibly integrate legitimate adaptive capacity into systems that are both algorithmic and human, while maintaining adequate decentralization to withstand the evolution of functional infrastructure?
DAOs must continue striving to not only self-govern against external forces, but to balance individual and collective autonomy, including the inherent trade-offs between these forms of participation. The focus should be on the practice of algorithmic policy-making, the infrastructural assemblage of code and people, and the ability to consciously reflect on, shape, and iterate on algorithmic governance rules. This allows individuals within the adaptive capacity to participate in shaping the rules of these systems.
References
Defirate.com (2021). DAO Overview. DAO Overview — A List of Ethereum’s Top DAOs and DAO Structures.
Nabben, Kelsie (2021). DAO Vulnerabilities: Limits, Threats, and Opportunities to DAOs.
Nabben, Kelsie (2021). DAO Vulnerabilities: A multi-scale DAO Ecosystem Mapping Tool Towards Computer-Aided Governance.
Buterin, V. (2014). DAOs, DACs, DAs and More: An Incomplete Terminology Guide.
Lee, Leland, and Klages-Mundt, Aria (2021). Governance Extractable Value.
Blockchainhub.net (2019). Tokenized Networks: What is a DAO?
Contents distributed by Learn.Block6.tech
👉 Discord — Live Talks
👉 Twitter — Latest articles