Protocol treasuries are the financial engines of decentralized ecosystems, holding assets for development, grants, and liquidity. Unlike a traditional corporate treasury, a DAO's treasury is managed collectively by token holders. A governance framework defines the rules for proposing, voting on, and executing changes to this treasury, including fund allocation, investment strategies, and upgrades to the management system itself. Without a robust framework, treasuries are vulnerable to governance attacks, voter apathy, and inefficient capital deployment.
LABS
Guides
How to Design a Governance Framework for Treasury Upgrades
A technical guide for implementing a formal, on-chain process to propose, vote on, and execute upgrades to institutional custody systems.
Chainscore © 2026
introduction
INTRODUCTION
How to Design a Governance Framework for Treasury Upgrades
A secure, transparent, and effective governance framework is the cornerstone of any decentralized treasury. This guide outlines the core components and design patterns for managing protocol-owned assets.
The core components of a treasury governance framework are the proposal lifecycle, voting mechanism, and execution safeguards. The lifecycle typically includes a temperature check, formal proposal, voting period, and timelock-enforced execution delay. Voting can be based on token-weighted models (like Compound's Governor Bravo) or more nuanced systems like conviction voting or quadratic voting. Execution safeguards, such as multi-signature wallets or smart contract timelocks, are critical to prevent malicious proposals from taking immediate effect, allowing the community time to react.
When designing the framework, key parameters must be calibrated. These include the proposal threshold (minimum tokens needed to submit a proposal), quorum (minimum voter participation for validity), voting delay and duration, and the approval threshold (e.g., simple majority or supermajority). For example, Uniswap's governance requires a 1% proposal threshold, a 4% quorum, and a 7-day voting period. These settings balance accessibility with security, preventing spam while ensuring legitimate proposals can surface.
Smart contract architecture is the implementation layer. Most frameworks use a modular pattern separating the voting logic (the Governor contract) from the token (ERC-20Votes or ERC-721 for NFT-based voting) and the treasury executor (a TimelockController). The Governor contract handles proposal state, the token provides sybil-resistant voting power, and the TimelockController queues and executes successful proposals after a delay. This separation enhances security and upgradeability.
Beyond basic mechanics, advanced considerations include treasury diversification strategies (how to propose moving funds from ETH to stablecoins or LP positions), delegation incentives to combat voter apathy, and emergency procedures (e.g., a security council with limited powers to pause operations). Frameworks should also plan for their own evolution, incorporating upgrade paths via proxy patterns or explicit governance proposals to modify core parameters as the protocol matures.
prerequisites
PREREQUISITES
How to Design a Governance Framework for Treasury Upgrades
Before building a governance system for managing a protocol treasury, you need to understand the core components, security models, and common attack vectors. This guide outlines the foundational knowledge required.
A treasury governance framework defines how a decentralized community controls and upgrades a shared asset pool. Unlike a standard DAO for proposals, treasury governance specifically manages financial operations like capital allocation, multisig signer rotation, and upgrading the treasury contract itself. You must first decide on the governance model: token-weighted voting (e.g., Compound, Uniswap), multisig council (e.g., Arbitrum Security Council), or a hybrid approach. Each model has trade-offs between decentralization, speed, and security that directly impact upgrade paths.
Smart contract upgradeability is a critical technical prerequisite. Most treasury contracts use proxy patterns like Transparent Proxy (OpenZeppelin) or UUPS (EIP-1822) to enable logic upgrades without migrating assets. You must understand the security implications: a UUPS proxy stores the upgrade logic in the implementation contract, while a Transparent Proxy uses a ProxyAdmin. The choice affects who can trigger an upgrade—governance votes typically execute via a TimelockController contract to introduce a mandatory delay, allowing users to exit if they disagree with a change.
You need to define clear upgrade scopes and permissions. What changes require a vote? Common upgrade types include: modifying withdrawal limits, adding new asset whitelists, changing fee structures, or patching security vulnerabilities. Establish role-based access control (RBAC) using libraries like OpenZeppelin's AccessControl. For example, a TREASURY_UPGRADER role could be assigned to the governance Timelock, while a GUARDIAN role might have limited powers to pause functions in an emergency. Document these roles and their authorities in the protocol's documentation.
Security audits and formal verification are non-negotiable for treasury code. Before deploying any governance framework, the core treasury contract and its upgrade mechanism should be audited by at least one reputable firm (e.g., Trail of Bits, OpenZeppelin, ConsenSys Diligence). For high-value treasuries, consider bug bounty programs on platforms like Immunefi. Additionally, implement circuit breakers and ragequit mechanisms that allow users to withdraw their funds if a malicious upgrade is detected during the timelock period, as seen in systems like MakerDAO's Emergency Shutdown.
Finally, prepare the off-chain infrastructure for governance. This includes a user interface for submitting and voting on proposals (e.g., using Tally, Snapshot for off-chain signaling, and Governor contracts for on-chain execution), clear documentation of the proposal process, and community communication channels. Establish a constitutional document or governance charter that outlines upgrade procedures, emergency response plans, and the philosophical principles guiding treasury management. This social layer is as crucial as the smart contract code for ensuring smooth and legitimate upgrades.
key-concepts-text
CORE GOVERNANCE CONCEPTS
How to Design a Governance Framework for Treasury Upgrades
A secure and effective governance framework is critical for managing a protocol's treasury. This guide outlines the key components and design patterns for implementing upgrade mechanisms that balance decentralization, security, and agility.
A treasury upgrade framework governs how a protocol's funds, often held in a multi-signature wallet or a TimelockController, can be modified or deployed. The primary goal is to prevent unilateral control while enabling the DAO to adapt its financial strategy. Core components include a proposal mechanism (like Snapshot or on-chain voting), an execution delay (timelock), and clearly defined upgrade parameters. These parameters specify what can be changed: spending limits, beneficiary addresses, investment strategies, or the treasury contract itself. Without these guardrails, treasury management becomes a central point of failure.
The most critical security element is the timelock. When a governance vote passes, the action is not executed immediately. Instead, it enters a queue for a predefined period (e.g., 48-72 hours). This delay allows token holders to review the finalized transaction calldata and, if a proposal is malicious or flawed, provides a window to execute a defensive action, such as exiting liquidity positions. For high-value treasuries, consider a multi-stage timelock where different actions have different delays; changing a beneficiary address might require 7 days, while adjusting a fee parameter might only need 2.
Design the proposal logic to be explicit and restrictive. Instead of a generic "execute arbitrary calldata" function, create specific, permissioned functions for allowed actions. For example, a scheduleGrant(address beneficiary, uint256 amount) function that only the timelock can call. This principle of least privilege minimizes attack surface. Use on-chain role-based access control (RBAC) systems, like OpenZeppelin's AccessControl, to define roles such as PROPOSER (the governance contract) and EXECUTOR (often the timelock itself or a designated multisig).
Integrate off-chain signaling with on-chain execution. Many DAOs use Snapshot for gas-free, sentiment-checking votes on treasury initiatives. A successful Snapshot vote should then trigger a formal, on-chain transaction submitted to the timelock. This two-step process, often facilitated by tools like Tally or Sybil, ensures broad participation while maintaining cryptographic execution guarantees. Always require an on-chain vote for actions that directly move funds or change core contract logic, as off-chain votes alone are not enforceable.
Plan for emergency scenarios. A fully immutable system can be dangerous. Include a guardian or security council module with limited, time-bound powers to pause withdrawals or freeze funds in response to a verified hack, but ensure its activation is transparent and requires a high bar of consensus (e.g., 5 of 7 designated entities). Document all emergency procedures publicly. Furthermore, consider implementing ragequit mechanisms or exit windows for liquidity providers in treasury-backed pools, allowing users to withdraw if they disagree with a major strategic pivot approved by governance.
governance-components
TREASURY UPGRADES
Essential Governance Components
A secure treasury upgrade framework requires specific technical components. These tools and concepts form the foundation for decentralized decision-making and execution.
04
Multisig Fallback & Emergency Procedures
Even decentralized systems require contingency plans. A multisig wallet (e.g., 4-of-7 signers) should hold emergency powers, such as pausing the governance system or executing a critical security patch if the standard process is compromised. This fallback must be clearly documented with strict activation criteria to prevent abuse. Additionally, establish emergency procedures for scenarios like a governance attack, including a community-led social consensus process to coordinate a response outside the compromised smart contracts.
05
On-Chain Execution & Calldata Encoding
Governance proposals ultimately execute specific transactions. Developers must understand how to encode calldata for treasury actions. This involves crafting the low-level transaction data that the timelock will execute. Common actions include:
- Transferring funds to a specified address.
- Updating a contract's parameters via a function call.
- Performing a contract upgrade via a proxy pattern (e.g., UUPS or Transparent Proxy).
Incorrect calldata is a common source of proposal failure.
step-1-proposal-contract
CORE ARCHITECTURE
Step 1: Design the Proposal Contract
The proposal contract is the executable blueprint for a treasury upgrade. It defines the specific actions, parameters, and logic that will be enacted if the governance vote passes.
A governance proposal contract is a specialized smart contract that encodes the desired changes to the treasury system. Unlike a simple description, this contract contains the actual executable code that will be called by the governance executor (like OpenZeppelin's Governor contract) upon a successful vote. Its primary function is to bundle one or more transactions—such as upgrading a proxy contract, adjusting parameters, or transferring funds—into a single, atomic governance action. This design ensures that the intent of the proposal is immutable and verifiable on-chain before the vote even begins.
The contract must implement a standard interface, typically a single execute function. This is the entry point the governance module will call. Inside this function, you sequence all the low-level calls required for your upgrade. For a treasury parameter change, this might involve calling setFeePercentage(uint256) on the treasury manager. For a proxy upgrade, it would call upgradeTo(address) on the proxy admin contract, pointing it to the new implementation. It's critical that this function includes robust error handling and reverts entirely if any sub-call fails, preventing a partially applied state.
Security and gas optimization are paramount in the design phase. Since the proposal contract will be immutable once deployed, all external addresses (like the target treasury contract) and parameters must be hardcoded as immutable or constant variables. Thoroughly test the contract's execution in a forked mainnet environment using tools like Foundry or Hardhat. Simulate the execute call to verify it performs exactly the intended state changes and consumes a predictable amount of gas, which voters will need to know. A common best practice is to inherit from and use battle-tested libraries like OpenZeppelin's GovernorProposal utilities.
Consider the proposal's lifecycle. Once deployed, its address becomes the unique identifier for the governance proposal. Voters and off-chain interfaces will analyze this contract to understand the proposal's effects. Therefore, complement the on-chain code with a comprehensive NatSpec documentation block and publish the source code on a block explorer. For complex upgrades involving multiple contracts, clearly document the pre- and post-execution state in the associated forum post. The contract's immutability serves as the single source of truth for what is being voted on.
step-2-voting-mechanism
CORE LOGIC
Step 2: Implement the Voting Mechanism
This section details the implementation of the on-chain voting contract, the central component that processes proposals, manages votes, and enforces upgrade execution.
The voting mechanism is the executable core of your governance framework. It is a smart contract that defines the rules for creating proposals, casting votes, tallying results, and executing successful upgrades. Key parameters you must define include the voting delay (time between proposal submission and voting start), voting period (duration votes are accepted), and quorum threshold (minimum participation required for validity). For treasury upgrades, a common pattern is to use a timelock contract as the executor, which introduces a mandatory delay between a vote's success and its execution, providing a final safety window for review.
A standard implementation involves a Governor contract, often using OpenZeppelin's battle-tested libraries (e.g., Governor, GovernorCompatibilityBravo, GovernorTimelockControl). The proposal lifecycle is managed through specific functions: propose() to create a new upgrade proposal, castVote() for token holders to vote, and execute() to carry out the proposal's actions after success. Votes are typically weighted by the voter's governance token balance at a specific block number (snapshot), preventing manipulation via token borrowing.
For code clarity, here is a simplified skeleton of a Governor contract extending OpenZeppelin's templates:
solidityimport "@openzeppelin/contracts/governance/Governor.sol"; import "@openzeppelin/contracts/governance/extensions/GovernorTimelockControl.sol"; contract TreasuryGovernor is Governor, GovernorTimelockControl { constructor(IVotes _token, TimelockController _timelock) Governor("TreasuryGovernor") GovernorTimelockControl(_timelock) {} function votingDelay() public pure override returns (uint256) { return 1 days; // 1 day delay } function votingPeriod() public pure override returns (uint256) { return 3 days; // 3 day voting period } function quorum(uint256 blockNumber) public pure override returns (uint256) { return 100000e18; // 100,000 token quorum } // ... proposalThreshold, _execute, etc. }
Critical security considerations include setting appropriate proposal thresholds to prevent spam, ensuring the quorum function reflects meaningful community engagement, and correctly configuring the timelock delay. The voting contract must have exclusive permission to call restricted functions on the treasury (like executeTransaction from Step 1). This is achieved by making the TimelockController the owner or admin of the treasury, and the Governor the sole proposer for the Timelock. Always conduct thorough testing and audits on this contract suite before mainnet deployment, as it controls direct fund movement.
step-3-timelock-executor
GOVERNANCE SECURITY
Step 3: Integrate a Timelock Executor
A timelock executor introduces a mandatory delay between a governance proposal's approval and its execution, creating a critical safety mechanism for treasury upgrades.
A timelock contract acts as a programmable delay between governance voting and on-chain execution. When integrated, the treasury's upgrade authority is transferred from the governor contract to the timelock. This means a successful proposal does not immediately change the system; instead, it schedules the action within the timelock. After the proposal passes, there is a mandatory waiting period (e.g., 48-72 hours) before the action can be executed. This delay provides a final safeguard, allowing the community to detect and potentially veto malicious or erroneous proposals that slipped through the voting process.
Implementing a timelock typically involves deploying a contract like OpenZeppelin's TimelockController. This contract is initialized with a minDelay and a set of proposers (the governor contract) and executors (often a multisig or the governor itself). The core change is updating your Governor contract to use the timelock as its executor. In the governor's settings, the TimelockController address is set as the target for all proposal executions, replacing a simple EOA or multisig. All calls from passed proposals are routed through the timelock's schedule and execute functions.
Here is a simplified integration example using Solidity and OpenZeppelin contracts. First, the timelock is deployed, then the governor is configured to use it.
solidity// 1. Deploy TimelockController TimelockController timelock = new TimelockController( MIN_DELAY, // e.g., 2 days in seconds new address[](0), // No initial proposers (set after) new address[](0), // No initial executors (set after) ADMIN_ADDRESS ); // 2. In your Governor contract setup, grant roles timelock.grantRole(timelock.PROPOSER_ROLE(), address(governor)); timelock.grantRole(timelock.EXECUTOR_ROLE(), address(governor)); // 3. Governor must be configured to use the timelock as its executor. // In the Governor's constructor or initializer: _quorum = ...; _votingDelay = ...; _votingPeriod = ...; _timelock = address(timelock); // This is the key line
After this setup, any successful proposal from the governor will schedule a call in the timelock, which can only be executed after the delay.
The security benefits of this pattern are significant. It protects against several risks: - Governance attacks where an attacker gains temporary voting majority to drain funds. The delay allows time for the community to organize a response, such as a fork or a counter-proposal. - Bug exploitation from flawed proposal code; the delay acts as a final review period. - Operational errors in parameter changes. Major protocols like Uniswap, Compound, and Aave use timelocks for all treasury and protocol upgrades, making it a DeFi standard for responsible on-chain governance.
When designing the delay period, balance security with agility. A 48-hour delay is common for major treasury operations, providing a weekend buffer for community response. For purely parameter tweaks, some frameworks use a shorter grace period. The timelock's admin role (often a multisig) should be used solely for cancelling maliciously scheduled operations before they execute, not for bypassing the delay. This setup ensures that even the most powerful administrative keys cannot act unilaterally without the governance process and its safety delay.
Finally, thoroughly test the integration. Use a forked mainnet environment or a comprehensive test suite to simulate the full flow: proposal creation, voting, automatic scheduling in the timelock, waiting through the delay, and successful execution. Verify that the timelock correctly holds the treasury's upgrade authority and that the governor is the only proposer. This step completes a robust governance framework where upgrades are democratically decided and securely enacted, aligning long-term protocol safety with decentralized control.
MODEL ARCHETYPES
Governance Model Comparison for Treasury Upgrades
A comparison of common governance structures used to manage on-chain treasury upgrades, highlighting trade-offs in security, efficiency, and decentralization.
| Governance Feature | Direct Democracy (e.g., Snapshot) | Representative Council (e.g., Compound) | Multisig with Time-Lock |
|---|---|---|---|
Upgrade Execution Speed | Slow (7-14 days) | Medium (2-5 days) | Fast (< 24 hours) |
Voter Participation Threshold |
| Council quorum (e.g., 4/7) | Signer quorum (e.g., 3/5) |
Barrier to Proposal Creation | High (e.g., 0.5% of supply) | Medium (Council sponsorship) | Low (Multisig member) |
Resistance to Malicious Proposals | |||
Formal Delegation Mechanism | |||
On-Chain Execution Guarantee | |||
Typical Use Case | Major protocol parameters | Regular treasury allocations | Emergency security patches |
step-4-secure-upgrade-path
GOVERNANCE
Step 4: Define the Secure Upgrade Path
A secure upgrade path is the formal process for modifying a protocol's core logic or treasury management rules, ensuring changes are deliberate, transparent, and resistant to malicious proposals.
The core of a secure upgrade path is a time-locked, multi-signature contract like OpenZeppelin's TimelockController. This contract sits between the governance module (e.g., a token voting contract) and the protocol's upgradeable contracts (e.g., the treasury). When a governance proposal passes, it does not execute immediately. Instead, it is queued in the timelock for a minimum delay period (e.g., 48-72 hours). This enforced delay is a critical security feature, creating a mandatory review window for the community to audit the final calldata and, if necessary, organize a defensive response to a malicious upgrade.
For high-value treasuries, a simple majority vote may be insufficient. Implement graduated security thresholds where the required voting power increases with the proposal's risk profile. For example: a change to a fee parameter might need 51% approval, while upgrading the core treasury logic or adding a new signer could require a 67% supermajority or even an 80% quorum threshold. These rules are encoded directly into the governance contract's voting settings, making them immutable without going through the same rigorous process.
Every upgrade proposal must be accompanied by exhaustive technical documentation. This should include: the new contract address and verification on a block explorer like Etherscan, a comprehensive diff of the code changes, a list of all affected functions and state variables, and a simulation of the proposal's execution via a service like Tenderly. This allows delegates and security researchers to verify the proposal does exactly what its description claims, with no hidden logic.
Establish a formal post-upgrade contingency plan. This includes specifying a rollback procedure, often involving a pre-authorized emergency multisig (with a distinct set of signers) that can pause the system or execute a predefined recovery snapshot if critical bugs are discovered after the upgrade goes live. The mere existence of this safety mechanism increases overall system resilience. All these components—the timelock, thresholds, and emergency controls—should be deployed and configured before the treasury holds significant assets.
resource-links
GUIDE COMPONENTS
Implementation Resources
Concrete tools and design primitives used by production DAOs to implement governance frameworks for treasury upgrades. Each resource maps to a specific governance function: proposal logic, voting, execution, and risk controls.
GOVERNANCE FRAMEWORK DESIGN
Frequently Asked Questions
Common technical questions and solutions for designing secure, upgradeable treasury management systems on-chain.
A multisig (like Safe) is a simple, predetermined set of signers (e.g., 3-of-5) required to execute any transaction. It's fast, simple, and secure for small teams but lacks programmability and scalability.
A DAO governance framework uses smart contracts and governance tokens to enable permissionless proposal submission and decentralized voting. Execution is automated based on vote outcomes. Key components include:
- Governor contract (e.g., OpenZeppelin Governor): Manages proposal lifecycle.
- Token/Voting contract: Determines voting power.
- Timelock controller: Introduces a mandatory delay between proposal passage and execution, acting as a safety circuit-breaker.
Use a multisig for initial bootstrapping or managing a small operational wallet. Use a full DAO framework for community-owned treasuries requiring transparent, programmable rules.
conclusion
IMPLEMENTATION ROADMAP
Conclusion and Next Steps
This guide has outlined the core components of a secure, upgradeable treasury framework. The final step is to implement and operationalize these principles.
A well-designed governance framework is not a static document but a living system. The key principles covered—transparent proposal lifecycles, multi-signature security, time-locked execution, and comprehensive monitoring—form a defense-in-depth strategy. Your implementation should be tailored to your DAO's specific risk profile, treasury size, and community culture. Start by formalizing these rules in a clear, publicly accessible charter, such as a Snapshot space description or an on-chain constitution contract.
For technical next steps, consider deploying and testing the framework on a testnet. Use a platform like Tally or Sybil to manage the proposal interface. Implement the core smart contracts: a TimelockController (like OpenZeppelin's) to hold assets and delay execution, a governance token for voting, and a governor contract (e.g., Governor Bravo-compatible) to manage the proposal lifecycle. Thoroughly audit these contracts and conduct practice proposals to ensure all roles—proposers, voters, and executors—understand the process.
Beyond deployment, continuous improvement is critical. Establish metrics for framework health: proposal participation rates, execution delay adherence, and emergency response times. Use tools like Chainscore for real-time treasury analytics and anomaly detection. Schedule regular community reviews of the governance parameters—like proposal thresholds and voting periods—to ensure they remain effective as the DAO evolves. The goal is to create a system that is both robust against attacks and adaptable to new opportunities.