Thanks for starting this discussion Stefan.
To re-iterate your separation between protocol governance and treasury governance:
- slowly and deliberately remove governance over certain parameters over time (e.g. PID)
- upgrade oracle / denomination if needed
- have meetings to figure out how to have fewer meetings (explicitly anti-bureaucracy)
- starting budget of ~10% of the FLX supply
- provide sufficient incentives to bootstrap RAI growth & liquidity
- automate incentive distribution as much as possible
- provide grants to people who want to build on RAI (impossible to automate)
Putting on our “governance is an attack vector” hats, let’s think about what is at stake if protocol/treasury governance are captured.
Treasury Governance Captured:
- Steal ~10% of the FLX, dump it all immediately
- More annoying/demoralizing - steal the FLX, but then sell it slowly over time…
Protocol Governance Captured:
- Steal 100% of the ETH collateral, mint infinite RAI
- Use minted RAI to steal all assets paired against RAI in liquidity pools
- Use minted RAI to steal all assets available to lend against RAI in lending protocols
- Infinite mint FLX, steal all assets from FLX/XYZ liquidity pools & lending protocols
- Update to a malicious oracle
Fortunately, as stated in our ungovernance roadmap, we will be removing the admin control over collateral in the system and over minting RAI, which eliminates the first three risks of capture. We will also be removing control over FLX minting and have it minted by a smart contract on a fixed schedule, as mentioned in our monetary policy update. Thus the risk of infinite minting FLX is eliminated as well.
The only remaining protocol capture risk is that the governance would update to a malicious oracle. The risks of updating to a malicious oracle are as follows:
- ETH/USD price feed set to 0 → all RAI minters are immediately liquidated
- ETH/USD price feed set to infinity → SAFE owners can infinite mint RAI
- RAI/ETH price feed set to 0 → RAI redemption rate hits upper bound (currently 400%/y)
- RAI/ETH price feed set to infinity → RAI redemption rate hits lower bound (currently -99%/y)
The RAI/ETH price feed being tampered with would still cause the system to collapse if not quickly rectified, but is unlikely to cause sudden harm to anyone but the most dangerously leveraged SAFE owners (by virtue of them getting liquidated by a rising RAI redemption price rising). Setting RAI/ETH to infinity and crashing the redemption rate would only devalue SAFE owners’ RAI debt faster, so it wouldn’t liquidate anyone.
The ETH/USD price feed being set to 0 on the other hand, would immediately liquidate all SAFE owners and auction off their ETH to the highest RAI bidders. And depending on the magnitude of the liquidations and lost confidence in the system, there could be massive amounts of FLX minting to cover any lingering bad debt. The ETH/USD price feed being set to 0 wouldn’t liquidate any SAFE owners, but it would allow them to mint infinite RAI, and thus steal all assets paired with RAI in liquidity pools and available to lend against RAI in lending protocols.
It should be clear from the above that the protocol being captured presents greater risks to RAI than the FLX treasury being captured. This is also why (at first pass) it makes logical sense to use separate governance systems to manage them. As Stefan said, we likely want ~1 week time delay for protocol updates (and probably longer as time goes on), whereas treasury proposals can be more agile.
Most of the governance systems employed today fall into the category of “Coin-Voting” which is 1 vote per 1 coin. Stefan already mentioned Compound governance and the veCRV models, but I’ll also suggest the traditional MakerDAO Governance  system as well.
- Governance Polls - onchain votes that are used for signaling to inform the larger community
- Executive Votes - onchain binding votes that are used to upgrade MakerDAO smart contract system to a new state
- Continuous Approval Voting - each Executive Vote only passes when it receives more MKR approving it than the previous Executive Vote. This can also occur when MKR that approved the previous proposal migrates to approving the current proposal (you can only approve one proposal at a time).
Of the three coin-voting systems discussed, I have a slight personal preference for the MakerDAO governance system. It has delegation built in, and it has an implicit quorum requirement in that any new upgrade must have more support than the previous upgrade. The veCRV system as used by Curve has a fixed quorum requirement of 15% for parameter updates and 30% for ownership upgrades. Compound governance has a 1% quorum for proposing votes, and a 4% quorum for passing votes.
Of course, the MakerDAO system is also only as secure as the level of governance participation. The current active MakerDAO executive proposal is approved by 6.7% of the MKR, which is even lower than it was (8%) when I published my TakerDAO troll plan  to launch a “9% attack” about 18 months ago. At the time, MakerDAO protocol governance was effectively a 1-of-4 multisig, as I wrote about in my original MetaCoin announcement . As of this writing, 5% of the MKR is available to borrow in Aave, so anyone with at least 2% of the MKR could consider launching a governance attack. Fortunately, due to the 48 hour Governance Security Module Pause Delay , in the event of a governance attack other users would have at least 2 days to sound the alarm and attempt to flee the MakerDAO system.
My least favorite thing about the MakerDAO governance is the lack of long-term alignment required for someone to participate in the governance. Someone who does attempt a governance attack is free to sell their MKR the following day and exit the system, leaving everyone else holding the pieces. Compound governance does nothing to address this, but the veCRV model does, allowing users who lock up their CRV a maximum 2.5x boost in voting power for locking up their tokens for up to 4 years. It should be noted that in their most recent “Clean Money” proposal , MakerDAO founder Rune proposed upgrading governance to a veCRV like time-based lockup governance model.
As Vitalik writes in Moving Beyond Coin Voting Governance :
Some DAO protocols are using timelock techniques to limit these attacks, requiring users to lock their coins and make them immovable for some period of time in order to vote. These techniques can limit buy-then-vote-then-sell attacks in the short term, but ultimately timelock mechanisms can be bypassed  by users holding and voting with their coins through a contract that issues a wrapped version of the token (or, more trivially, a centralized exchange). As far as security mechanisms go, timelocks are more like a paywall on a newspaper website than they are like a lock and key.
In theory, even a vote locking system like Curve is susceptible to unbundling the economic and governance interest in the locked tokens, which reduces the benefit that comes from having governors be long-term incentivized to vote towards positive outcomes.
He lists several categories of solutions:
- Limit governance to fixed parameter choices (RAI already does this)
- Add time delay (RAI plans to do this too)
- Be more fork-friendly (RAI has this as well via the “poison pill”)
- Proof of personhood (1 vote per 1 human)
- Proof of participation
- Hybrid systems (quadratic voting, requires proof-of-personhood for anti-sybil)
Skin in the game (skipping due to complexity)
- Time delays plus elected-specialist governance (relevant for RAI, expanded below)
- Futarchy + anti-collusion = reputation (complex)
- Loosely-coupled (advisory) coin votes (basically snapshot + multisig governance)
Time delays plus elected-specialist governance : this is one possible solution to the ancient conundrum of how to make an crypto-collateralized stablecoin whose locked funds can exceed the value of the profit-taking token without risking governance capture. The stable coin uses a price oracle constructed from the median of values submitted by N (eg. N = 13) elected providers. Coin voting chooses the providers, but it can only cycle out one provider each week. If users notice that coin voting is bringing in untrustworthy price providers, they have N/2 weeks before the stablecoin breaks to switch to a different one.
Since RAI is already limiting governance as much as feasible, the other of Vitalik’s suggestions that I find most interesting are quadratic voting and time delays plus elected specialist governance.
- Participants receive the square root of their capital as voting power
- More level playing field between small holders and large holders
- Requires proving unique identity of all participants (anti-sybil)
- Governance participation must be permissioned to enforce anti-sybil
Time delays plus elected-specialist governance:
- Instead of having the protocol decide the oracle directly, elect N proxies
- Can only vote to cycle out the proxies one at a time, with a fixed delay
- Protocol users a long time to flee when they see an oracle attack coming
Generally speaking, I’m against coin-voting for much the same reasons Vitalik is. That said, coin-voting governance systems are battle-tested in production whereas more the non-coin-voting systems are more experimental. If I had to pick a non-coin-voting system today, my preference would be to use the Zodiac framework to combine a Gnosis Safe + MolochDAO .
Zodiac Gnosis Safe + MolochDAO:
- MolochDAO handles permissioned entry (and can kick)
- Quadratic voting can be implemented at the social layer
- Gnosis Safe can hold assets and executive arbitrary transactions (e.g. protocol upgrades)
- Gnosis Safe can have signers that veto DAO decisions before they execute
- The signers can be removed over time as confidence builds in the DAO’s trustworthiness
It would be relatively straightforward to use a MolochDAO for permissioned coin-voting as that would avoid the anti-sybil requirement while still providing some protection against malicious governance participants, but it doesn’t provide the benefit of leveling the playing field between smaller and larger holders, which means there would be fewer people to corrupt in order to corrupt the governance.
The primary challenge in using a MolochDAO for permissioned quadratic voting is enforcing anti-sybil. We could create an anti-sybil system ourselves, but KYC isn’t our core competency (nor do we want it to be!). The best anti-sybil system that exists today is proof-of-humanity , but it is still in its infancy and has yet to be thoroughly battle-tested.
I think it’s likely that we can avoid duplicate effort by waiting to see how the MakerDAO governance evolves. If they build something like veCRV but with delegation baked in, that seems ideal to use for protocol governance. Alternatively, we could work with them to develop it. In the meantime, I would recommend we use something battle-tested, like the existing MakerDAO governance system, but with a longer time delay.
Given that this is less urgent, I would recommend we punt on this for now, but tentatively plan to use the Gnosis Safe + MolochDAO system, and ideally with quadratic voting. I would like to see proof-of-humanity continue to be tested in production before introducing it as a dependency. That said, having permissioned entry would greatly reduce the risk of treasury capture, while credibly building a path towards decentralization (eventually removing the gnosis safe multisig signers).
- Gas costs on L1 could 10-100x within the next 1-2 years, making L1 voting prohibitive for smaller voters anyway, eliminating their participation all together
- This reduces any benefit that “quadratic voting” would presumably provide
- If we wanted to have a DAO managed treasury, it would either need to be offchain or on L2 or we would have to accept that it is going to be dominated by whales
- If we move towards a governance by token lockup model like veCRV, I agree with Stefan that we would need to move away from a buyback & burn model and instead reward those participating in governance - a potential split would be 20% stakers, 80% governance
Links (because my link limit is still 2 - remove the space)
- MakerDAO Governance - makerdao. world/en/learn/governance/how-voting-works/
- TakerDAO - twitter. com/ameensol/status/1229848488621428736?lang=en
- MetaCoin - twitter. com/ameensol/status/1229848488621428736?lang=en
- GSM Pause Delay - makerdao. world/en/learn/governance/param-gsm-pause-delay
- Clean Money - forum.makerdao. com/t/the-case-for-clean-money/10684
- Beyond Coin Voting - vitalik. ca/general/2021/08/16/voting3.html
- Bypassing Timelocks - blog.openzeppelin. com/bypassing-smart-contract-timelocks/
- Gnosis Safe + MolochDAO - daohaus.substack. com/p/-daohaus-adopts-zodiac-to-enable
- Proof-of-Humanity - proofofhumanity. id/