On-Chain Governance: Token Voting, Multisig, and DAO Governance Mechanisms
On-Chain Governance: Token Voting, Multisig, and DAO Governance Mechanisms
The governance stack for decentralised autonomous organisations has undergone rapid maturation since the first DAO experiments. What began as simple majority votes among a small group of insiders has evolved into sophisticated multi-layer systems involving off-chain signalling, on-chain binding votes with automatic execution, liquid delegation, conviction-weighted ballots, bicameral chambers, and timelock security mechanisms. Understanding this infrastructure is prerequisite to analysing any specific DAO’s governance design or evaluating governance proposals.
This analysis covers the full architecture of DAO governance mechanisms in production today: voting systems, delegation models, execution infrastructure, governance security, and the notable failures that reveal where the current generation of governance design remains vulnerable.
Token Voting: The Standard Model
Token voting is the foundational governance mechanism for most major DAOs. The principle is simple: hold governance tokens, vote on proposals, with voting power proportional to token holdings. Proposals that achieve the required support — majority, supermajority, or protocol-specific threshold — and the required quorum (minimum participation) are passed.
The implementation, however, involves several distinct layers, each with meaningful design choices.
Proposal submission thresholds
Most governance systems require a minimum token holding to submit a proposal. This prevents governance spam from token-less actors. Uniswap requires 2.5 million UNI to submit a governance proposal (or delegation of that threshold from supporters). Compound requires 25,000 COMP. These thresholds have been criticised as too high — effectively limiting proposal rights to very large token holders — and too low — insufficient to prevent governance noise from actors with substantial but not dominant holdings.
Quorum requirements
Quorum — the minimum participation threshold required for a vote to be valid — is among the most consequential governance parameters. Too low, and a small minority can pass proposals that most token holders would oppose. Too high, and governance becomes practically impossible to execute given typical participation rates.
Empirically, participation rates in major DAO governance votes are low: 5-15% participation is common for contested votes, and significantly lower for routine proposals. This creates a persistent quorum design challenge. Compound’s quorum is 400,000 COMP (~4% of supply). Uniswap’s quorum is 40 million UNI (~4% of supply). ENS DAO requires 1% of total supply.
Supermajority requirements
Some governance decisions — protocol upgrades, treasury deployments above certain thresholds, constitutional amendments — require supermajority approval (typically 60-75%). This creates additional security for the most consequential decisions.
Snapshot: Off-Chain Signalling
Snapshot (snapshot.org) is the dominant governance tool in the DAO ecosystem. It is used by hundreds of DAOs — including many of the largest DeFi protocols — for governance signalling. Its key characteristics define both its utility and its limitations.
How Snapshot works:
When a proposal is created on Snapshot, the system records the block number at which token holdings will be measured — the “snapshot block.” Every voter’s token balance at that block height determines their voting power. Votes are submitted as cryptographic signatures (not on-chain transactions), meaning voting is gasless and accessible regardless of ETH balance.
Results are publicly recorded on Snapshot, immutably, with full voter transparency (all addresses and their votes are visible) or with anonymity, depending on the voting strategy chosen.
The critical limitation — Snapshot is not binding:
Snapshot votes are off-chain signalling. A Snapshot vote, even a unanimous one, does not execute any on-chain action. It does not move treasury funds, change protocol parameters, or alter smart contract state. After a Snapshot vote passes, human signers on the relevant multisig must choose to execute the result. This introduces a layer of trusted execution between governance signal and on-chain action — a meaningful centralisation point that critics of Snapshot-only governance correctly identify.
For most major DAOs, Snapshot is used as a “temperature check” — an inexpensive, high-participation signalling mechanism used to gauge community sentiment before proceeding to the more costly and consequential on-chain vote.
Tally and On-Chain Binding Governance
Tally (tally.xyz) provides infrastructure for the alternative model: binding on-chain governance using Governor contracts, where a passed vote automatically executes via smart contract without human intermediation.
OpenZeppelin Governor standard:
The OpenZeppelin Governor contract (and its predecessors, Governor Alpha and Governor Bravo) is the standard implementation for on-chain DAO governance. It provides: proposal creation with customisable thresholds, configurable voting periods, quorum parameters, automatic execution via timelock controller, and delegate tracking.
When a proposal passes on-chain via a Governor contract, it enters the timelock controller — a smart contract that queues the execution and enforces a mandatory waiting period (typically 24-72 hours) before execution. After the timelock expires, any address can trigger execution, which is then automatic.
Major protocols using Tally and on-chain governance:
Uniswap, Compound, Aave, ENS DAO, and several other leading protocols use Governor-based on-chain governance for their binding governance votes. Token holders vote directly on-chain; passed proposals auto-execute via timelock. There is no multisig intermediation for these executions — the smart contract is the execution layer.
This provides a significantly stronger guarantee of governance binding than Snapshot: the code executes what the votes authorise, regardless of what any individual or multisig signer wants to do.
Delegation: Liquid and Conviction-Weighted
Direct token voting suffers from a practical problem: most token holders do not follow governance closely enough to vote informedly on every proposal. Delegation addresses this by allowing token holders to assign their voting power to representatives — delegates — who vote on their behalf.
Liquid delegation:
In liquid delegation systems (Compound, Uniswap, ENS), token holders delegate to any address they choose. The delegate votes with the delegated voting power. Delegation is revocable at any time. Token holders retain ownership of their tokens — they do not transfer them — and can re-delegate or vote directly at any time.
The practical effect is to create a delegate ecosystem: active governance participants accumulate delegated voting power and become the effective governance class of the DAO. ENS DAO has particularly well-developed delegate infrastructure, with public delegate platforms where delegates explain their governance philosophy and track record.
Polkadot’s conviction voting:
Polkadot’s OpenGov system implements a different approach: conviction voting. Tokens locked for longer periods receive proportionally greater voting power. Tokens locked for 1x the referendum period contribute 1x voting power; tokens locked for 2x contribute 2x; and so on, up to 6x (which provides 6x the base voting power for a 6x lockup commitment).
Conviction voting introduces an elegant incentive: voters who are most confident in and committed to a decision — willing to lock capital for longer — are given more influence. This counteracts the incentive to vote casually on every proposal and rewards genuinely committed governance participants.
Multisig Execution: The Human Checkpoint
Even in DAOs with sophisticated on-chain governance, multisig wallets remain the treasury execution layer for most operations. The Safe (formerly Gnosis Safe, headquartered in Zug) is the dominant implementation.
How Safe multisig works:
A Safe multisig is configured with N signers and a threshold M: any transaction requires M-of-N signers to approve before execution. The multisig signers are human keyholders — typically core team members, trusted community representatives, or elected delegates — who must actively review and sign any proposed transaction.
M-of-N configurations vary widely. A 3-of-5 Safe is the minimum reasonable security configuration. Larger treasuries may use 5-of-9 or 7-of-12, accepting slower execution in exchange for greater security and signer redundancy.
The safety properties of multisig:
The multisig’s primary value in the governance context is as a human review layer. If an attacker passes a malicious governance proposal — whether through accumulated token voting power, a flash loan attack, or social engineering — the multisig signers can, in principle, refuse to execute it. This introduces a centralisation cost (signers are identifiable humans who can be coerced, compromised, or captured) in exchange for a security benefit (a final human checkpoint before execution).
Safe’s infrastructure includes a transaction queue, simulation tools, and integration with hardware wallets. Virtually every major DAO treasury — Ethereum Foundation, Uniswap, Aave, MakerDAO, and hundreds of others — uses Safe as the treasury custody layer.
Timelock as the complementary mechanism:
Governor contracts include a timelock controller that enforces a delay between vote passage and execution. This timelock — typically 24-72 hours for major protocols — provides a critical window: if a malicious proposal passes through governance (whether by manipulation or error), the community has the timelock window to identify the problem, communicate about it, and take preventative action (including exiting positions if the protocol has an emergency mechanism).
Optimistic Governance: Reducing Decision Overhead
Full governance voting for every DAO decision is operationally expensive: governance votes take time, have low participation for routine matters, and impose significant overhead on a DAO’s operational velocity. Optimistic governance addresses this by inverting the default: proposals take effect unless vetoed within a challenge period.
The optimistic model:
A designated proposer (or any token holder with sufficient stake) proposes an action. If no veto is raised within the challenge window (typically 3-7 days), the proposal is automatically approved and executed. If a veto is raised — requiring a minimum token threshold — the proposal enters full governance review.
This is efficient for routine operations — grants below a threshold, recurring operational expenses, minor parameter adjustments — where community opposition is unlikely. It reserves full governance overhead for contested decisions.
Optimism’s bicameral governance:
Optimism (the Layer 2 network) has implemented one of the most sophisticated governance designs in production: a two-house system. The Token House — UOP token holders — votes on protocol upgrades, treasury allocations, and governance parameter changes. The Citizens’ House — holders of non-transferable soulbound citizenship NFTs — votes on retroactive public goods funding and certain veto decisions.
Each house has distinct powers and distinct incentive structures. Token House voting power is proportional to economic stake. Citizens’ House voting power is non-transferable and distributed based on contribution to the ecosystem rather than financial position. This bicameral design attempts to balance economic stakeholder governance (Token House) with public goods orientation and non-plutocratic values (Citizens’ House).
Quadratic Voting: Reducing Plutocracy
Standard token voting is plutocratic: one token, one vote. Large holders dominate. Quadratic voting attempts to reduce this by making voting power proportional to the square root of tokens held rather than the linear count. An address holding 100 tokens has 10 voting power units; an address holding 10,000 tokens has 100 voting power units (not 10,000).
The quadratic mechanism reduces the marginal influence of very large holders: doubling your tokens increases your voting power by approximately 41% rather than 100%.
The Sybil attack problem:
Quadratic voting systems are vulnerable to Sybil attacks: one entity creating many wallets, each holding a small number of tokens, achieves more total voting power than holding all the tokens in a single wallet. This nullifies the anti-plutocracy property unless identity verification prevents Sybil creation.
Gitcoin Grants uses quadratic funding (a related mechanism) with Sybil resistance provided by Gitcoin Passport — a composite identity score based on off-chain credentials, on-chain activity, and social verification. This significantly reduces but does not eliminate Sybil risk.
Few major DAOs have implemented quadratic voting for primary governance due to the Sybil resistance challenge. It remains an active area of governance mechanism research.
Governance Security: Attacks and Defences
The governance layer is an attack surface. Billions of dollars in DAO treasuries make sophisticated governance attacks economically rational for sufficiently well-capitalised attackers.
The Beanstalk attack (April 2022):
Beanstalk is a decentralised stablecoin protocol. In April 2022, an attacker used a flash loan — a loan taken and repaid within a single blockchain transaction — to temporarily borrow an enormous sum, purchase a majority of Beanstalk governance tokens, propose and immediately vote on a malicious governance proposal that sent the entire $182 million Beanstalk treasury to the attacker’s address, and repay the flash loan. The entire attack executed within a single transaction. The critical vulnerability: Beanstalk’s governance allowed proposals to be voted on in the same transaction they were created, with no timelock.
The Build Finance DAO hostile takeover (2022):
A single actor accumulated a majority of Build Finance DAO’s governance tokens on the open market and used that majority to pass proposals awarding themselves control of the DAO treasury. No flash loan was required — the attack was executed through legitimate market acquisition. The vulnerability: insufficient minimum token threshold for passing proposals, no time-weighted voting, no multisig veto layer.
Governance security requirements:
These cases establish that governance security requires: (1) a timelock between vote passage and execution, sufficient for the community to identify and respond to malicious proposals; (2) quorum requirements that prevent small-minority attacks; (3) separation between proposal submission and voting periods; (4) multisig or committee veto mechanisms for extreme cases; and (5) careful parameter design that does not create flash-loan exploitable attack surfaces.
Polkadot OpenGov: The Most Sophisticated On-Chain Governance in Production
Polkadot’s OpenGov system, launched in 2023, represents the most sophisticated production on-chain governance architecture in the blockchain ecosystem. Web3 Foundation (Zug) governs the Polkadot treasury; OpenGov gives DOT holders direct, binding authority over multi-million dollar treasury proposals without Foundation Council intermediation.
OpenGov features: multiple referendum tracks with different parameters (small spends have shorter voting periods and lower quorum; constitutional changes require supermajority and extended periods); conviction-weighted voting; delegation per track (you can delegate small treasury votes to one address and major protocol votes to another); automatic treasury management; and a governance fellowship (elected technical experts) with limited veto rights over certain technical decisions.
The result is a governance system with genuine democratic depth — meaningful participation, meaningful binding authority, and meaningful specialisation — at a scale and complexity far beyond any other DAO in production.
This article is informational only and does not constitute legal, governance, or investment advice.
Published by The Vanderbilt Portfolio AG, Zurich, Switzerland. Author: Donovan Vanderbilt.
Related Coverage
- The Problems With Token-Weighted Voting: Plutocracy, Apathy, and How DAOs Are Fixing Governance
- Governance Token: Definition, Mechanics, and Regulatory Treatment
- Multisig (Multi-Signature) Wallet: Definition and DAO Applications
- Uniswap DAO: Governing the World’s Largest Decentralised Exchange
- MakerDAO / Sky: The Pioneer DeFi DAO and the DAI Stablecoin
Frequently Asked Questions
What is the difference between Snapshot and on-chain governance voting?
Snapshot is an off-chain signalling tool where votes are gasless cryptographic signatures recorded off-chain. Snapshot votes are not binding and do not execute any on-chain action – multisig signers must choose to implement the result. On-chain governance using Governor contracts (such as those used by Uniswap, Compound, and Aave via Tally) produces binding votes that automatically execute via a timelock controller without human intermediation. On-chain governance provides stronger execution guarantees but costs gas to vote.
How do timelocks protect DAO governance from attacks?
Timelocks enforce a mandatory waiting period (typically 24 to 72 hours) between the passage of a governance vote and the execution of the approved action. This delay provides a critical security window: if a malicious proposal passes through governance manipulation, flash loan attacks, or social engineering, the community has time to identify the problem, communicate about it, and take preventative action before the malicious transaction executes. The Beanstalk attack of April 2022, which drained $182 million, exploited the absence of a timelock.
What is delegation in DAO governance and why does it matter?
Delegation allows token holders to assign their voting power to representatives (delegates) who vote on their behalf. This addresses the chronic voter apathy problem in DAOs, where typical participation rates are only 3-8% of circulating supply. Token holders retain ownership of their tokens and can re-delegate or vote directly at any time. Protocols like Compound, Uniswap, and ENS have developed active delegate ecosystems where delegates publish their governance philosophy and track record.