DAO Framework

The core engine for collective decision-making, typically implemented via on-chain voting. Key mechanisms include:

• Token-weighted voting: Voting power proportional to token holdings.
• Quadratic voting: Power scales with the square root of tokens committed, reducing whale dominance.
• Multisig execution: Approved proposals are executed by a designated multisig wallet or directly via smart contracts.
• Snapshot integration: For gasless, off-chain sentiment signaling before on-chain execution.

A secure, transparent vault for holding and deploying the DAO's assets (e.g., native tokens, stablecoins, NFTs). Features include:

• Multi-asset support: Hold ETH, ERC-20s, and other digital assets.
• Streaming payments: Continuous fund disbursement (e.g., for salaries or grants) via tools like Sablier or Superfluid.
• Budget allocation: Sub-DAOs or working groups can have earmarked funds.
• On-chain audit trail: All inflows and outflows are permanently recorded and verifiable.

Defines who constitutes a member and their permissions within the DAO. Common models are:

• Token-based membership: Ownership of a specific ERC-20 or ERC-721 token grants entry (e.g., $UNI for Uniswap DAO).
• Share-based membership: Members hold transferable shares representing direct voting and economic rights, as seen in Moloch DAO forks.
• Reputation-based systems: Non-transferable ERC-1155 tokens represent voting power earned through contributions.
• Role-based permissions: Granular controls for specific actions like posting proposals or managing funds.

The structured process for submitting, discussing, and ratifying governance actions. A standard workflow includes:

• Proposal submission: A member stakes tokens to create a proposal, preventing spam.
• Timelock period: A mandatory delay between a vote passing and execution, allowing for review.
• Voting periods: Fixed windows (e.g., 3-7 days) for casting votes.
• Execution logic: Automated enforcement of vote outcomes via smart contracts.
• Veto mechanisms: Optional safeguards, like a ragequit function or council veto.

The ability to integrate with external DeFi protocols and add new modules over time. This is a hallmark of frameworks like Aragon OSx and DAOhaus. Examples include:

• Plugin architecture: DAOs can install pre-audited modules for new functions (e.g., fundraising, bounties).
• Cross-chain governance: Managing assets and decisions across multiple Layer 1 and Layer 2 networks.
• DeFi integrations: Direct treasury interactions with lending protocols (Aave), DEXs (Uniswap), or yield strategies.

Built-in mechanisms ensuring all actions are auditable and aligned with member interests. This is achieved through:

• Immutable records: All proposals, votes, and treasury transactions are permanently recorded on-chain.
• Forkability: Members can fork the DAO, taking a proportional share of the treasury, if they disagree with governance direction.
• Delegate systems: Token holders can delegate voting power to experts, creating a representative layer.
• On-chain analytics: Tools like Tally and Boardroom provide real-time dashboards for voter participation and proposal history.

The core logic of a DAO is encoded in its smart contracts, making them a primary attack vector. Common vulnerabilities include:

• Reentrancy Attacks: Where malicious contracts can call back into a function before its initial execution finishes, draining funds (e.g., The DAO hack).
• Logic Errors: Flaws in governance or treasury management logic that can be exploited for unauthorized proposals or fund transfers.
• Upgradeability Risks: If the DAO uses proxy patterns for upgrades, a compromised implementation contract can lead to a total loss of control. Mitigation involves rigorous audits, formal verification, and implementing security patterns like checks-effects-interactions.

The decentralized voting mechanism itself can be subverted through various means:

• Vote Manipulation: Attackers may borrow or buy large amounts of governance tokens (vote buying) to pass malicious proposals.
• Proposal Spam: Flooding the DAO with complex or fraudulent proposals to create voter fatigue and slip a harmful proposal through.
• Tyranny of the Majority: A large token holder or coordinated group (whale or cartel) can consistently override the interests of smaller stakeholders. Defenses include vote delegation, proposal thresholds, and time-locks on executed decisions.

DAO treasuries, often holding significant value, are high-value targets. Key risks include:

• Multisig Compromise: If a DAO uses a multisig wallet for execution, the private keys of signers are critical points of failure.
• Authorized Spender Risks: Smart contracts granted spending allowances by the treasury can be exploited if they contain vulnerabilities.
• Oracles & Price Feeds: Treasury valuations and collateralized loans depend on external data; manipulated oracles can trigger unfair liquidations or incorrect valuations. Best practices involve using audited asset management modules, diversifying signers, and implementing withdrawal limits.

Sybil attacks involve creating many fake identities to gain disproportionate influence. In DAOs, this relates to:

• Airdrop Farming: Users creating many wallets to claim a disproportionate share of a governance token airdrop, skewing initial distribution.
• One-Token-One-Vote Exploits: If voting power isn't sybil-resistant, an attacker can split funds across many addresses to mimic broad community support. Mitigation strategies include proof-of-personhood checks, token-curated registries, or implementing quadratic voting to reduce the power of concentrated holdings.

The decentralized and often anonymous nature of DAOs creates significant legal uncertainty, which is itself a security risk:

• Liability Exposure: Members may face unforeseen joint liability if a DAO is deemed a general partnership in certain jurisdictions.
• Regulatory Action: DAOs operating in financial capacities (lending, trading) may attract enforcement from bodies like the SEC, potentially leading to asset seizures or shutdowns.
• Enforcement Challenges: Recovering stolen funds or pursuing bad actors across jurisdictions is extremely difficult. Some DAOs adopt Legal Wrappers (e.g., LLCs in Wyoming or foundations in Switzerland) to clarify liability and structure.

Human factors and coordination failures present persistent risks:

• Phishing & Impersonation: Attackers impersonate core team members on Discord or Twitter to post malicious links or wallet addresses.
• Governance Fatigue: Low voter turnout can allow a small, motivated group to control outcomes.
• Rug Pulls & Exit Scams: Malicious founders can abandon a project after raising funds, or use governance to approve draining the treasury. Community defense requires strong communication verification (e.g., verified roles), education, and transparent, slow-moving governance for major changes.

The protocols and practices for holding, allocating, and investing a DAO's collective capital. This is a primary function governed by the DAO's token holders.

• On-Chain Assets: DAO treasuries typically hold native tokens, stablecoins, and LP positions.
• Tools: Use multi-sig wallets, vesting contracts (e.g., Sablier, Superfluid), and delegated asset managers (e.g., Llama).
• Challenge: Balancing liquidity for operations with long-term asset growth and yield generation.

The end-to-end process from idea to execution within a DAO. A standard framework defines each stage to ensure orderly governance.

• Typical Stages:
  1. Temperature Check: Informal discussion and sentiment polling.
  2. Formal Proposal: On-chain submission with executable code or clear directives.
  3. Voting Period: Token holders cast votes.
  4. Timelock & Execution: A delay (for review) followed by automated execution.
• Purpose: Prevents rash decisions and allows for community veto or fork.