How to Structure On-Chain Governance Systems

introduction

ARCHITECTURE GUIDE

How to Structure On-Chain Governance Systems

A practical guide to designing the core components of a decentralized governance protocol, from proposal lifecycles to voting mechanisms and treasury management.

On-chain governance systems are smart contract frameworks that enable token holders to propose, vote on, and execute changes to a protocol. Unlike informal off-chain signaling, these systems encode rules directly into the blockchain, making outcomes autonomous and self-executing. The core architectural pillars include a proposal lifecycle, a voting mechanism, a timelock controller, and a treasury module. Popular implementations like Compound's Governor Bravo and OpenZeppelin's Governor provide standardized, audited foundations for developers to build upon, reducing the risk of critical vulnerabilities in custom code.

The proposal lifecycle defines the path from idea to execution. A typical flow begins with a proposal submission, requiring a proposer to stake a minimum number of tokens to prevent spam. The proposal then enters a voting delay period, allowing the community to review the code or discussion. This is followed by an active voting period, usually lasting 3-7 days, where token holders cast their votes. Finally, a timelock period is enforced after a successful vote, providing a final window for users to react before the proposal's actions are executed on-chain. This structured process balances agility with security.

Voting mechanisms are critical for capturing community sentiment. The most common model is token-weighted voting, where one token equals one vote. More advanced systems implement delegated voting (as used by Compound and Uniswap), allowing users to delegate their voting power to experts or representatives. Alternative designs include conviction voting (for continuous signaling) and quadratic voting (to reduce whale dominance). The choice of mechanism directly impacts governance participation rates and decentralization. Smart contracts must also handle vote snapshotting to prevent manipulation from token transfers during the voting period.

A timelock contract is a non-negotiable security component. It acts as a queue for executed proposals, imposing a mandatory delay (e.g., 48 hours) between a vote passing and its code being run. This delay is the last line of defense, allowing users to exit the system if they disagree with a passed proposal. The timelold typically holds the protocol's upgrade authority or treasury controls. For maximum security, major protocols like Arbitrum use a multisig timelock, where a council of elected signers must approve the execution after the delay, adding a final human check against smart contract exploits.

Treasury management modules govern how protocol funds are allocated. Proposals often request payments from the community treasury for grants, development work, or liquidity incentives. Best practice is to structure these payments via vesting contracts or streaming payments (like Sablier) rather than one-time transfers, aligning long-term incentives. The governance system should also define clear rules for emergency procedures, such as pausing the governance contract or executing a critical security patch via a separate guardian multisig. This ensures the system can respond to crises without being hamstrung by its own standard proposal timeline.

When implementing a system, start with audited standards like OpenZeppelin's Governor contracts. A basic structure includes a Governor contract, a TimelockController, and your governance token (ERC-20Votes or ERC-5805). The key is to configure parameters—like votingDelay, votingPeriod, proposalThreshold, and quorum—to match your community's size and pace. Thorough testing with tools like Tenderly or Foundry is essential to simulate proposal execution paths. Ultimately, a well-structured system balances inclusivity, security, and efficiency, turning token ownership into legitimate protocol stewardship.

prerequisites

PREREQUISITES

How to Structure On-Chain Governance Systems

A guide to the core components and design patterns required to build secure and effective decentralized governance.

On-chain governance systems automate decision-making through smart contracts, moving beyond informal off-chain signaling. The core architecture typically involves three key components: a governance token for voting rights, a voting contract to tally proposals, and a timelock contract to safely execute approved actions. This structure, popularized by systems like Compound's Governor Bravo, separates the voting logic from the execution of state changes, which is critical for security. The governance token acts as the source of truth for voting power, often using a snapshot of token balances at a specific block to prevent manipulation.

Designing the voting mechanism requires choosing between models like token-weighted voting, where one token equals one vote, and delegated voting, where users can delegate their voting power to representatives. You must also define proposal lifecycle parameters: a voting delay (time between proposal submission and voting start), a voting period (duration of the vote, e.g., 3-7 days), and a quorum threshold (minimum participation required for validity). For example, Uniswap governance uses a 7-day voting period and a dynamic quorum. These parameters directly impact system responsiveness and security against low-participation attacks.

The timelock is a non-negotiable security primitive. It imposes a mandatory delay between a proposal's approval and its execution. This delay gives the community a final window to react—allowing users to exit protocols or governance participants to cancel a malicious proposal if a vulnerability is discovered. In practice, the timelock contract holds the privileged execution rights, and the governance contract is its only owner. When building, you'll integrate with existing audited timelock implementations, such as OpenZeppelin's TimelockController, rather than writing your own.

Proposal creation logic must be carefully scoped. Proposals are typically executable code—calling a function on a target contract with specific calldata. Your system needs clear rules about which contracts (the governance treasury, protocol parameters, or upgradeable proxies) are valid targets. A common pattern is to use a multisig or a guardian role for emergency actions or to veto malicious proposals during the timelock period, though this introduces a degree of centralization. The complexity lies in balancing security, decentralization, and efficiency.

Finally, successful governance requires robust off-chain infrastructure. This includes a user interface for proposal browsing and voting (like Tally or Boardroom), indexers to query proposal state and voting history, and bots to monitor for new proposals and alert delegates. Developers should plan for gas optimization, as voting on-chain can be expensive; solutions include snapshot voting (off-chain signing with on-chain execution) or gasless voting via meta-transactions. Testing governance logic thoroughly on a testnet, including attack vectors like proposal spam and quorum manipulation, is essential before mainnet deployment.

key-concepts-text

ARCHITECTURE GUIDE

How to Structure On-Chain Governance Systems

A technical guide to designing the core components of a decentralized governance system, from proposal lifecycles to voting mechanisms and execution.

On-chain governance systems are smart contract-based frameworks that enable token holders to propose, vote on, and execute changes to a protocol autonomously. Unlike informal off-chain signaling, these systems encode rules directly into the blockchain, making outcomes binding and transparent. The core architectural components include a proposal factory for creating governance actions, a voting module to tally votes, and an execution module to implement passed proposals. Successful implementations, like Compound's Governor Bravo or Uniswap's governance, separate these concerns to allow for modular upgrades and clear audit trails.

The proposal lifecycle is the central workflow. It typically follows a timelock pattern: a proposal is submitted with a defined voting period, votes are cast, a quorum and majority are calculated, and if passed, the proposal enters a timelock delay before execution. This delay is a critical security feature, allowing users to exit the system if they disagree with an upcoming change. Proposals can target any function call, from adjusting a protocol parameter (e.g., changing a reserveFactor on Aave) to upgrading a core contract. Structuring proposals with clear, atomic actions reduces complexity and attack surface.

Voting mechanisms determine how influence is measured. The most common is token-weighted voting, where one token equals one vote. More advanced systems use delegated voting (as seen in Ethereum's EIP-4824), where users can delegate their voting power to representatives, improving participation. Quadratic voting and conviction voting are alternative models that aim to reduce whale dominance and signal long-term preference. The choice of mechanism directly impacts governance capture risks and voter apathy. All votes should be recorded on-chain with cryptographic proofs to ensure verifiability and prevent double-spending of voting power.

Execution and security are the final, critical layers. Once a proposal passes, it must be executed autonomously. This is often managed by a TimelockController contract (like OpenZeppelin's implementation) which holds protocol ownership and queues transactions after the delay. A key design consideration is the proposal threshold, which prevents spam by requiring a minimum token stake to submit a proposal. Furthermore, systems should include emergency safeguards, such as a multi-sig guardian that can pause governance in case of a critical bug, though this introduces a centralization trade-off that must be clearly communicated to users.

ARCHITECTURE

Comparison of On-Chain Governance Models

Key technical and economic differences between major governance system designs.

Governance Feature	Token-Weighted Voting	Conviction Voting	Quadratic Voting	Multisig Council
Core Mechanism	1 token = 1 vote	Voting weight accumulates over time	Cost = square root of votes	Approval by N-of-M signers
Sybil Resistance
Vote Delegation
Typical Proposal Cost	$0-500 (gas)	$0-500 (gas)	$10-100 (bond)	N/A
Time to Execution	~3-7 days	Days to weeks	~3-7 days	< 1 hour
Used By	Uniswap, Compound	1Hive, Commons Stack	Gitcoin Grants	L2s, Treasury Mgmt
Voter Turnout Incentive	Protocol fees, token value	Directed funding streams	Matching funds	Salary/Stipend
Attack Cost (Relative)	Medium	High (time-based)	Very High	Very High

implementation-steps

ON-CHAIN GOVERNANCE

Implementation Steps

A practical guide to building a secure and effective on-chain governance system, from proposal lifecycle to execution.

Define Governance Token & Voting Power

The foundation of your system. Determine the token distribution (e.g., 40% to community, 30% to treasury, 30% to team/backers) and voting power mechanics. Common models include:

Token-weighted voting: 1 token = 1 vote.
Time-locked voting (veToken model): Voting power increases with lock-up duration.
Quadratic voting: Power scales with the square root of tokens committed, reducing whale dominance.

Use standards like ERC-20 for the base token and ERC-5805 (Votes) for delegation.

Design the Proposal Lifecycle

Structure the formal process from idea to execution. A standard lifecycle includes:

Temperature Check: An off-chain snapshot to gauge sentiment.
Formal Proposal Submission: On-chain proposal with executable calldata, requiring a proposal deposit (e.g., 1000 tokens) to prevent spam.
Voting Period: A fixed window (e.g., 5-7 days) where token holders cast votes.
Timelock & Execution: Approved proposals enter a timelock period (e.g., 48 hours) for review before the encoded function calls are executed, mitigating risks from malicious proposals.

Implement using Governor contracts from OpenZeppelin or Compound's Governor Bravo.

Implement Core Smart Contracts

Deploy the three core contract components:

Governance Token: The ERC-20/ERC-5805 token.
Governor Contract: Manages proposals, voting, and state. Configure voting delay, voting period, and proposal threshold.
Timelock Controller: Holds protocol treasury and executes proposals after the delay. This separates governance decision-making from immediate execution.

Key security practice: The Timelock should be the admin of all upgradeable protocol contracts, ensuring only governance-approved changes are made.

Set Quorum & Voting Thresholds

Configure the mathematical rules for proposal success to balance efficiency and security.

Quorum: The minimum percentage of total voting power that must participate for a vote to be valid. Start conservatively (e.g., 4-10% of supply).
Approval Threshold: The percentage of participating votes required to pass. For treasury spends, use a high threshold (e.g., >50% For). For parameter tweaks, a simple majority may suffice.

These values can be adjusted via governance itself. Monitor participation rates and adjust quorum to prevent voter apathy from paralyzing the system.

Integrate Voting Interfaces

Enable user participation through front-end interfaces. Key integrations include:

Snapshot: For off-chain, gas-free sentiment checks using signed messages.
Tally or Boardroom: Front-end dashboards for viewing proposals, voting, and delegating tokens.
Wallet Integration: Connect via WalletConnect or libraries like wagmi to enable direct on-chain voting from user wallets.

Ensure your Governor contract emits standard events (e.g., ProposalCreated, VoteCast) so these platforms can index activity.

EXPLORE

Establish Delegation & Security Guards

Enhance system efficiency and safety with advanced features.

Vote Delegation: Allow users to delegate voting power to experts or representatives without transferring tokens (ERC-5805).
Guardian or Multisig: Implement a security council (e.g., a 6-of-9 multisig) with the ability to pause the system or veto malicious proposals in extreme emergencies, acting as a circuit breaker.
Proposal Power Caps: Limit the scope of a single proposal (e.g., max treasury drain per proposal) to contain damage from a successful attack.

IMPLEMENTATION

Code Examples by Component

Core Governor Contract

The Governor contract manages proposal lifecycle. Use OpenZeppelin's Governor contract, which implements EIP-6372 for vote tracking and standard interfaces.

Core Functions:

propose(): Creates a new proposal.
castVote(): Submits a vote (for, against, abstain).
queue(): Queues a successful proposal for execution.
execute(): Executes the queued proposal's calls.

solidity
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.20;

import "@openzeppelin/contracts/governance/Governor.sol";
import "@openzeppelin/contracts/governance/extensions/GovernorSettings.sol";
import "@openzeppelin/contracts/governance/extensions/GovernorCountingSimple.sol";
import "@openzeppelin/contracts/governance/extensions/GovernorVotes.sol";
import "@openzeppelin/contracts/governance/extensions/GovernorVotesQuorumFraction.sol";
import "./GovernanceToken.sol";

contract DAOGovernor is Governor, GovernorSettings, GovernorCountingSimple, GovernorVotes, GovernorVotesQuorumFraction {
    constructor(GovernanceToken _token)
        Governor("DAOGovernor")
        GovernorSettings(7200 /* 1 day */, 50400 /* 1 week */, 0)
        GovernorVotes(_token)
        GovernorVotesQuorumFraction(4) // 4% quorum
    {}

    function votingDelay() public view override(Governor, GovernorSettings) returns (uint256) {
        return super.votingDelay();
    }
    // ... Override other required functions
}

Extend with modules like GovernorTimelockControl for execution security.

security-considerations

SECURITY AND ATTACK VECTORS

How to Structure On-Chain Governance Systems

On-chain governance automates protocol upgrades and treasury management through token-weighted voting, but its design introduces unique security risks that must be mitigated.

On-chain governance systems, like those used by Compound, Uniswap, and Arbitrum, allow token holders to vote directly on proposals that execute code changes or allocate funds. This process typically involves a timelock contract—a critical security component that delays execution after a vote passes, giving users time to react to malicious proposals. The core mechanism is a state machine: a proposal moves from Pending to Active for voting, then to Queued in the timelock, and finally Executed. A flawed state transition logic can be exploited to bypass safeguards or execute code prematurely.

Several key attack vectors target these systems. Proposal spam floods the system with votes to stall legitimate governance, often mitigated by requiring a minimum proposal deposit. The 51% attack is a classic threat where a malicious actor acquires majority voting power to pass self-serving proposals. More subtle is voter apathy and low turnout, which can allow a small, coordinated group to pass proposals with minimal support. Flash loan attacks temporarily borrow massive voting power to swing proposals, a risk addressed by using time-weighted voting snapshots instead of real-time balances.

Smart contract vulnerabilities within the governance module itself are catastrophic. A bug in the Compound Governor Bravo contract in 2021 allowed a passed proposal to be repeatedly executed. Secure implementations must include execution guards, such as ensuring a proposal's proposalId cannot be reused and that the state() function correctly validates conditions before execution. Code should enforce that only the timelock contract can execute successful proposals and that the timelock's delay cannot be altered by a single proposal.

Best practices for structuring secure governance include using audited, battle-tested frameworks like OpenZeppelin's Governor. Implement a multi-tiered governance structure with a veto-powered guardian (e.g., a Security Council) for emergency responses, as seen in Arbitrum. Set carefully calibrated parameters: a votingDelay (e.g., 1 day) for discussion, a votingPeriod (e.g., 3-7 days) long enough to coordinate defense, and a quorum requirement (e.g., 4% of supply) to ensure meaningful participation. All parameter changes should themselves go through governance.

For developers, integrating governance starts with inheriting from a standard contract. Below is a basic setup using OpenZeppelin, demonstrating a governor with a timelock and a token that uses snapshots.

solidity
import "@openzeppelin/contracts/governance/Governor.sol";
import "@openzeppelin/contracts/governance/extensions/GovernorTimelockControl.sol";
import "@openzeppelin/contracts/token/ERC20/extensions/ERC20Votes.sol";

contract MyGovernor is Governor, GovernorTimelockControl {
    constructor(IVotes _token, TimelockController _timelock)
        Governor("MyGovernor")
        GovernorTimelockControl(_timelock)
    {}
    // Override required functions: votingDelay, votingPeriod, quorum, etc.
}

The associated TimelockController contract holds the treasury funds and executes proposals only after the delay.

Continuous security is essential. Maintain an on-chain bug bounty program funded by the treasury. Use simulation tools like Tally or OpenZeppelin Defender to dry-run proposals on a forked network before live voting. Delegate voting to knowledgeable representatives can improve decision quality, but beware of centralization risks. Ultimately, a well-structured system balances decentralization, security, and agility, ensuring the protocol can evolve without becoming a target for exploitation.

KEY DESIGN CHOICES

Governance Parameters and Specifications

Comparison of core parameter configurations for on-chain governance systems, detailing trade-offs between security, participation, and efficiency.

Parameter	High Security / Low Risk	Balanced / Mainstream	High Efficiency / Low Friction
Voting Delay	7 days	2-3 days	< 24 hours
Voting Period	14 days	7 days	3 days
Proposal Threshold	1.0% of token supply	0.5% of token supply	0.1% of token supply
Quorum Requirement	20% of token supply	4-10% of token supply	1-2% of token supply
Timelock Execution Delay	3 days	2 days	None
Emergency Proposal Support
Delegated Voting
Vote Snapshot Block	Start of voting period	Time of proposal creation

resource-links

GOVERNANCE SYSTEM DESIGN

Resources and Tools

On-chain governance relies on battle-tested contracts, voting infrastructure, and clear lifecycle controls. These tools and frameworks are used by live DAOs to define proposal flow, voting mechanics, and execution guarantees.

OpenZeppelin Governor Contracts

OpenZeppelin provides the most widely used on-chain governance contract framework for EVM networks. The Governor module is modular and supports token-based, NFT-based, and custom voting logic.

Key components include:

Governor.sol: core proposal and voting logic
GovernorVotes: ERC20Votes or ERC721Votes integration
GovernorTimelockControl: enforced execution delay
Quorum and voting period overrides for dynamic governance

Used by DAOs on Ethereum, Optimism, and Arbitrum, the framework lets developers configure parameters like:

Voting delay and voting period in blocks
Quorum numerator as a percentage of total supply
Proposal thresholds to reduce spam

Most production DAOs modify Governor to include custom quorum logic or emergency controls. OpenZeppelin Contracts v5.x is compatible with Solidity 0.8.20 and newer networks.

EXPLORE

Compound Governor Bravo Model

Governor Bravo is the governance system originally deployed by Compound and later adopted by Uniswap, ENS, and other major DAOs. It defines a strict proposal lifecycle enforced entirely on-chain.

Lifecycle stages:

Proposal creation with proposal threshold
Voting period measured in blocks
Queuing in a Timelock contract
Delayed execution with cancel safeguards

Governor Bravo introduces:

Explicit separation between governance and execution via Timelock
Voting by token balance at a fixed snapshot block
On-chain calldata execution without multisig intervention

This model is suitable for mature DAOs managing protocol upgrades or treasury movements. It requires careful parameter tuning because changes require full governance proposals. Many DAOs fork Governor Bravo and add gas optimizations or custom quorum logic.

EXPLORE

Snapshot + On-Chain Execution Hybrid

Snapshot is an off-chain voting system commonly used as the signaling layer for on-chain governance. Votes are signed messages stored on IPFS, making voting gasless and accessible.

Typical hybrid architecture:

Snapshot for proposal discussion and voting
Snapshot Space defines voting strategies and quorum rules
Safe or Timelock executes the result on-chain

This approach is used by DAOs that prioritize voter participation over strict on-chain enforcement. Snapshot supports:

ERC20 balance, delegation, and quadratic voting strategies
Cross-chain voting using read-only RPCs
Proposal validation via Snapshot Hub

Developers must design clear execution rules because Snapshot itself does not enforce outcomes. Many DAOs pair Snapshot with programmatic execution bots or governance-controlled Safe accounts.

EXPLORE

Tally Governance Interface and Indexing

Tally provides governance analytics, proposal indexing, and voting UX for on-chain Governor-based DAOs. It connects directly to deployed Governor contracts and Timelocks.

Tally features:

Human-readable proposal decoding
Voting history by address
Real-time quorum and vote tracking
Delegate profiles and delegation flows

For developers, Tally reduces the need to build custom governance frontends. DAOs deploy their Governor contracts and register them with Tally to immediately gain:

Proposal dashboards
Contract-verified execution data
Auditability of governance actions

Tally supports OpenZeppelin Governor, Governor Bravo, and custom forks on Ethereum and major L2s. It is commonly used by DAOs transitioning from multisig control to full on-chain governance.

EXPLORE

Aragon DAO Governance Framework

Aragon provides a modular governance stack combining on-chain voting, role-based permissions, and upgradeable DAO logic. It is designed for DAOs that want governance primitives without writing contracts from scratch.

Core components:

Aragon OSx smart contracts
Plugin-based voting systems
On-chain execution with permission gating

Aragon supports:

Token-weighted and multisig voting
Replaceable governance plugins
Fine-grained control over who can execute actions

This framework is useful for teams that want on-chain governance with configurable security tradeoffs. Developers can extend plugins or deploy custom modules while relying on Aragon’s audited base contracts.

EXPLORE

ON-CHAIN GOVERNANCE

Frequently Asked Questions

Common technical questions and solutions for developers implementing and interacting with on-chain governance systems.

A proposal is a structured data packet submitted to the governance contract, typically containing executable calldata (like a target address and function call) or a descriptive text hash. It represents the action to be taken if approved.

A vote is a user's signed transaction that signals support or opposition to a specific proposal, weighted by their voting power (e.g., token balance). The governance contract tallies these votes according to its rules (simple majority, quorum, etc.). Only after a proposal passes and any timelock expires can the contained calldata be executed.

conclusion

IMPLEMENTATION ROADMAP

Conclusion and Next Steps

This guide has outlined the core components of on-chain governance. The next step is to implement a system tailored to your protocol's needs.

A successful on-chain governance system balances decentralization, security, and efficiency. The foundational choice between a token-based model (like Compound's COMP) and a multisig council (like Arbitrum's Security Council) dictates your initial security posture. For most protocols, the evolutionary path begins with a multisig for rapid iteration, gradually decentralizing control by introducing token voting for specific proposal types, such as treasury management or parameter adjustments. This phased approach mitigates early-stage risks while building community trust.

Your technical implementation should prioritize auditability and gas efficiency. Use battle-tested frameworks like OpenZeppelin Governor with extensions for compatibility and security. For voting, consider snapshotting mechanisms (e.g., using block.number - 1) to prevent last-minute manipulation. Crucially, integrate a timelock contract between the governance module and the core protocol. This introduces a mandatory delay between a proposal's passage and its execution, providing a final window for the community to react to malicious proposals. The Compound and Uniswap timelocks are canonical references.

Beyond the smart contracts, operational processes are vital. Establish clear guidelines in your governance forum for Temperature Checks (informal sentiment) and Consensus Checks (formal discussion) before proposals reach the chain. Define explicit criteria for proposal submission, including a minimum token threshold and required documentation. Tools like Tally and Boardroom provide user-friendly interfaces for voters to delegate tokens and track governance activity, which is essential for broad participation.

For next steps, start by deploying your governance contracts on a testnet like Goerli or Sepolia. Use a verification service like Sourcify to publish your contract source code publicly. Then, run through the entire governance lifecycle with a controlled group: create a proposal, vote, execute via the timelock, and verify state changes. This dry run will expose configuration issues in proposal thresholds, voting periods, and quorum requirements.

Finally, consider the long-term evolution of your system. As your protocol matures, you may need to introduce layer-2 governance to reduce voting costs, futarchy markets for decision-making, or subDAOs to handle specific domains like grants or protocol parameters. The governance landscape is iterative; plan to regularly review voter turnout, proposal quality, and the health of your delegate ecosystem, using on-chain data to guide future upgrades.