A revenue-sharing treasury is a core mechanism for aligning a protocol's success with its community. At its simplest, it involves collecting fees or profits in a smart contract vault and distributing a portion to token holders, often via a claim function or a rebasing mechanism. The primary architectural challenge is balancing security, gas efficiency, and fairness. Key decisions include choosing between push (active claiming) and pull (automatic distribution) models, selecting the asset(s) to hold in the treasury (e.g., native ETH, stablecoins, LP tokens), and defining the revenue source (e.g., protocol fees, MEV, staking yields).
LABS
Guides
How to Architect a Treasury for Revenue Sharing with Holders
A technical guide for developers on implementing smart contract systems to distribute protocol revenue or yield to token holders. Covers design patterns, Solidity examples, and tax considerations.
Chainscore © 2026
introduction
DESIGN PATTERNS
How to Architect a Treasury for Revenue Sharing with Holders
A technical guide to designing a secure and efficient on-chain treasury system that automatically distributes protocol revenue to token holders.
The most common implementation uses an accrual-based accounting system. Instead of distributing revenue instantly, which is gas-prohibitive, the contract tracks each holder's share of the total undistributed revenue. A mapping, such as mapping(address => uint256) public rewardsPerSharePaid and mapping(address => uint256) public rewards, calculates what a user is owed based on their token balance at the time revenue is added. When a user calls claim() or executes a transfer, their accrued rewards are settled. This pattern, inspired by master-chef staking contracts, minimizes state changes and gas costs.
Security is paramount. The treasury contract should have strict access controls, typically via a multisig wallet or a DAO vote for withdrawing funds or changing parameters. Use OpenZeppelin's Ownable or AccessControl libraries. Avoid complex, upgradeable logic in the core distribution contract; instead, keep it simple and audited. Consider separating the revenue collection logic from the distribution logic to limit the attack surface. For example, a fee collector contract sends funds to the treasury, which only handles the accounting and distribution.
Here's a simplified code snippet for the core accrual logic:
solidity// State variables uint256 public totalRewards; mapping(address => uint256) public userRewardPerSharePaid; mapping(address => uint256) public rewards; function _updateReward(address account) internal { rewards[account] = _earned(account); userRewardPerSharePaid[account] = totalRewards; } function _earned(address account) internal view returns (uint256) { return (balanceOf(account) * (totalRewards - userRewardPerSharePaid[account])) / 1e18 + rewards[account]; }
When new revenue amount is deposited, totalRewards is incremented. Users compute their earnings based on the difference between the current totalRewards and their last updated userRewardPerSharePaid.
For gas optimization with large holder bases, consider snapshotting or merkle tree distributions. Instead of updating state for every holder, you can take a snapshot of balances at an epoch and later allow users to claim against a pre-calculated merkle root. Projects like Uniswap and Compound have used this for retroactive airdrops. Alternatively, a rebasing ERC-20 token (like Olympus's OHM) automatically adjusts all holder balances, but this is more complex and impacts integrations. The choice depends on your tokenomics and frequency of distributions.
Finally, integrate transparent reporting. Emit clear events for revenue deposits and distributions. Consider creating a simple frontend or subgraph that allows users to track accrued, claimable, and historical rewards. A well-architected treasury is not just a smart contract but a transparent system that fosters long-term holder alignment. Start with a simple, audited accrual model, enforce strict access controls, and plan for gas-efficient scaling as your holder count grows.
prerequisites
ARCHITECTURE FOUNDATION
Prerequisites and Setup
Before deploying a revenue-sharing treasury, you must establish the core infrastructure, define the economic model, and ensure security. This section covers the essential components and initial smart contract setup.
The foundation of a revenue-sharing treasury is a secure, multi-signature wallet or a programmable vault contract like Gnosis Safe or Safe{Wallet}. This entity will hold the protocol's accumulated fees and revenue. You must also define the revenue sources, which typically include protocol fees from swaps, lending, or NFT sales. The distribution logic—whether it's automatic, claimable, or vote-directed—must be codified in a separate smart contract that interfaces with this treasury vault.
Your token's smart contract must implement a mechanism to track eligible holders for distribution. For ERC-20 tokens, this often involves using a snapshot of balances at a specific block number to prevent manipulation, or implementing a dividend-bearing token standard like ERC-20Votes for gas-efficient checkpointing. You will need to decide on the distribution frequency (e.g., weekly, monthly) and the asset used for payout (native ETH, a stablecoin like USDC, or the protocol's own token).
Security is paramount. The treasury and distributor contracts should undergo a professional audit from firms like ChainSecurity or Trail of Bits. Implement timelocks for critical functions, such as changing distribution parameters or withdrawing funds. Use established libraries like OpenZeppelin for access control (e.g., Ownable or AccessControl) to restrict treasury management to a governed multisig or DAO.
For development, set up a project using Hardhat or Foundry. You will need testnet ETH (e.g., on Sepolia or Goerli) and familiarity with Ethers.js or Viem for scripting. Begin by writing and testing the core contracts: a TreasuryVault.sol for holding assets and a RevenueDistributor.sol that calculates shares and executes transfers. Use forked mainnet environments to simulate real revenue flows.
Finally, establish clear documentation for users and developers. This should include the smart contract addresses on Etherscan, the distribution schedule, and the method for users to claim their share. Transparency in these mechanics builds trust and is a critical prerequisite for a successful, sustainable revenue-sharing model.
key-concepts
TREASURY ARCHITECTURE
Core Revenue Distribution Models
Explore the primary mechanisms for designing a protocol treasury that autonomously collects and distributes revenue to token holders.
direct-transfer-architecture
SIMPLE TREASURY DESIGN
Architecture 1: Direct Token Transfers
This guide explains how to architect a smart contract treasury that collects protocol fees and distributes them directly to token holders via periodic transfers.
A direct token transfer architecture is the most straightforward method for implementing a revenue-sharing treasury. The core mechanism involves a smart contract that acts as a vault, accumulating a portion of the protocol's fees in a specific token, such as a stablecoin or the protocol's native token. On a pre-defined schedule (e.g., weekly or monthly), the contract executes a function that calculates each holder's share based on their proportional ownership and sends the corresponding amount directly to their wallet address. This model is transparent and gives holders immediate, liquid access to rewards.
The key technical components are the treasury vault contract and the distribution logic. The vault must have secure functions to receive fees, often restricted to authorized protocol contracts. The distribution function typically involves iterating through a snapshot of token holders, calculating rewards using the formula (holderBalance / totalSupply) * treasuryBalance, and performing an ERC-20 transfer. For gas efficiency with large holder sets, a merkle distributor pattern is often used, where rewards are calculated off-chain and holders claim via a merkle proof.
Consider a protocol like a decentralized exchange that charges a 0.3% swap fee. It could route 0.05% of every swap to the treasury contract in USDC. After one week, the contract holds 10,000 USDC. If a user holds 1% of the governance token's total supply, they are entitled to 100 USDC. When the distribute() function is called, the contract would transfer 100 USDC from its balance to the holder's address. This direct transfer is a taxable event in many jurisdictions and provides immediate utility to the holder.
This architecture has clear trade-offs. Its main advantage is simplicity and predictability for users. However, it can be gas-intensive for the distributing entity if done on-chain for many holders, and it forces a tax liability on recipients at the time of distribution. It also does not automatically compound value for long-term holders, as rewards are sent out as separate, liquid assets rather than being reinvested into the protocol's token, which is a key difference from token buyback and burn or staking reward models.
To implement this securely, the treasury contract must inherit from ReentrancyGuard and use the Checks-Effects-Interactions pattern to prevent reentrancy attacks during transfers. It should also include robust access control, typically using OpenZeppelin's Ownable or a multi-sig, for critical functions like triggering distribution or changing the reward token. Events should be emitted for all deposits and distributions to allow for easy off-chain tracking and analytics.
In summary, a direct transfer treasury is best suited for protocols with a manageable number of holders, a desire for transparent and simple rewards, and a revenue stream in a liquid, widely-accepted token. It serves as a foundational model to understand before exploring more complex architectures like staking vaults or buyback mechanisms, which offer different economic and behavioral incentives for token holders.
buyback-burn-architecture
REVENUE SHARING
Buyback-and-Burn Treasury Architecture
A buyback-and-burn mechanism uses protocol revenue to purchase and permanently remove the native token from circulation, creating deflationary pressure to benefit all holders.
A buyback-and-burn architecture is a deflationary model for rewarding token holders. Instead of distributing revenue directly, the protocol's treasury uses a portion of its profits to buy its own token from the open market. These purchased tokens are then sent to a dead address (e.g., 0x000...dead), permanently removing them from the total supply. This reduces circulating supply, which, assuming constant or growing demand, increases the value of each remaining token. All holders benefit proportionally through the resulting price appreciation, aligning long-term incentives without requiring active staking or claiming.
Implementing this requires a clear revenue funnel and execution logic. First, define which revenue streams fund the buyback (e.g., 50% of protocol fees). These funds, often in a stablecoin like USDC, accumulate in a dedicated treasury contract. A keeper bot or permissionless function is then triggered on a schedule or when a threshold is met. This function executes a swap on a decentralized exchange (DEX) like Uniswap, converting the stablecoin into the protocol's native token. The critical final step is the irreversible burn.
Here is a simplified Solidity function outline for the burn execution:
solidityfunction executeBuybackAndBurn(uint256 amountIn, uint256 amountOutMin) external onlyKeeper { // 1. Transfer stablecoin from treasury to this contract stablecoin.transferFrom(treasury, address(this), amountIn); // 2. Approve and swap on DEX router stablecoin.approve(address(router), amountIn); address[] memory path = new address[](2); path[0] = address(stablecoin); path[1] = address(nativeToken); router.swapExactTokensForTokens( amountIn, amountOutMin, path, BURN_ADDRESS, // Tokens sent directly to burn address block.timestamp ); }
The tokens are sent directly to the burn address in the swap, ensuring immediate and verifiable removal.
Key design considerations include market impact and transparency. Large, infrequent buybacks can cause significant price slippage and be seen as market manipulation. Mitigate this by executing smaller, frequent buys or using liquidity pool features like TWAP (Time-Weighted Average Price) orders. Transparency is achieved by emitting events for each buyback and publishing the transaction hash and burn proof on-chain. Projects like Binance Coin (BNB) and Shiba Inu (SHIB) have used quarterly and manual burns, while automated, on-chain mechanisms are becoming the standard for DeFi protocols seeking trustlessness.
While effective, buyback-and-burn has limitations. It provides indirect, speculative value rather than direct cash flow, which may not suit income-focused investors. It also does nothing to improve protocol utility or governance participation. For a more direct reward alternative, consider Architecture 1: Direct Distributions where revenue is shared as stablecoins to stakers. The choice depends on the token's economic goals: buyback-and-burn excels at creating scarcity and aligning long-term price growth, making it a powerful tool for value accrual in a well-designed token economy.
staking-rewards-architecture
TREASURY DESIGN
Architecture 3: Staking Rewards Vaults
This guide explains how to architect a smart contract vault that autonomously generates and distributes staking rewards to token holders, creating a sustainable flywheel for protocol-owned liquidity.
A staking rewards vault is a dedicated treasury module that uses protocol revenue to purchase and stake the native token, then distributes the generated yield to stakers. This architecture directly aligns holder incentives with protocol growth. Instead of manual buybacks, the vault automates the process: it accepts stablecoins or ETH from protocol fees, swaps them for the governance token via a DEX like Uniswap V3, and stakes the tokens in a dedicated staking contract. The subsequent staking rewards are the mechanism for revenue sharing.
The core smart contract architecture typically involves three key components: a Vault contract that holds assets and executes strategies, a Buyback module (often using a DEX router) to convert revenue to the native token, and a Staking contract where the bought tokens are deposited. Critical design decisions include setting a reward rate (APY), a vesting schedule for distributed rewards (e.g., linear over 7 days), and access controls that restrict vault functions to authorized keepers or governance. Security is paramount, as this contract holds significant value.
Here is a simplified code snippet showing a vault's core swap and stake function using Chainlink for price feeds and a Uniswap V3 router:
solidityfunction convertFeesAndStake(uint256 amountIn) external onlyKeeper { // 1. Approve router to spend stablecoins IERC20(USDC).approve(address(swapRouter), amountIn); // 2. Define swap parameters for USDC -> TOKEN ISwapRouter.ExactInputSingleParams memory params = ISwapRouter.ExactInputSingleParams({ tokenIn: USDC, tokenOut: TOKEN, fee: 3000, // 0.3% pool fee tier recipient: address(this), deadline: block.timestamp + 300, amountIn: amountIn, amountOutMinimum: 0, // In production, use oracle-based slippage protection sqrtPriceLimitX96: 0 }); // 3. Execute the swap uint256 amountOut = swapRouter.exactInputSingle(params); // 4. Stake the received tokens IStaking(STAKE_CONTRACT).stake(amountOut, address(this)); }
This function automates the core treasury action, but a production system requires robust slippage control, emergency pauses, and governance-gated parameter updates.
Successful implementations balance sustainability with attractiveness. The vault's reward emission rate must be less than or equal to the protocol's revenue generation rate to avoid depleting the treasury. Projects like GMX and Synthetix use variations of this model, where fees generated from perpetual swaps or minting are used to buy and burn or stake their native tokens. This creates a verifiable on-chain feedback loop: more protocol usage generates more fees, which buys more tokens for staking, increasing rewards and incentivizing further holding and participation.
When deploying, you must consider key parameters: the fee collection trigger (time-based or threshold-based), the buyback slippage tolerance (using TWAP oracles for safety), and the reward distribution method (claimable or auto-compounded). Auditing this contract system is non-negotiable. Furthermore, the design should include a timelock on parameter changes and a clear emergency withdrawal path for governance to recover assets in case of a critical bug, ensuring the system remains trust-minimized and resilient.
IMPLEMENTATION ARCHITECTURE
Revenue Sharing Model Comparison
Comparison of primary on-chain mechanisms for distributing protocol revenue to token holders.
| Model | Direct Buyback & Burn | Staking Rewards | Direct Distributions (Dividends) |
|---|---|---|---|
Core Mechanism | Protocol buys and permanently removes tokens from supply | Users stake tokens to earn a share of protocol fees | Revenue is sent directly to token holder wallets |
Holder Action Required | |||
Tax Efficiency | High (no taxable event for holders) | Medium (rewards are taxable income) | Low (distributions are taxable income) |
Capital Efficiency | Medium (capital used for buybacks) | High (capital remains in protocol) | Low (capital leaves protocol treasury) |
Typical APY Range | 0-5% (implied via supply reduction) | 5-20% | 2-10% |
Gas Cost for Users | None | Medium (staking/unstaking tx) | Low (claiming tx, if applicable) |
Treasury Management | Active (requires buyback execution) | Passive (automated via smart contract) | Active (requires distribution execution) |
Primary Use Case | Long-term value accrual for all holders | Incentivizing protocol security & loyalty | Providing regular cash flow to holders |
security-considerations
SECURITY AND OPERATIONAL CONSIDERATIONS
How to Architect a Treasury for Revenue Sharing with Holders
Designing a secure and sustainable treasury for distributing protocol revenue to token holders requires careful planning around fund custody, distribution logic, and operational resilience.
The foundation of a secure treasury is multi-signature (multisig) custody. Avoid single private key control. Use a Gnosis Safe or similar multisig wallet with a 3-of-5 or 4-of-7 configuration, where signers are trusted, doxxed community members or DAO delegates. This setup prevents a single point of failure and requires consensus for any fund movement. The treasury's base assets—typically stablecoins like USDC or the protocol's native token—should be held in this secure, non-upgradable contract, separate from operational funds used for expenses.
Revenue distribution logic must be transparent and non-custodial. Implement an on-chain distributor contract that autonomously handles claims or automatic transfers. A common pattern is a MerkleDistributor, where off-chain calculations generate a Merkle root of eligible holders and their shares, which is posted on-chain for gas-efficient verification and claiming. This keeps the logic public and verifiable while placing the gas cost on the claimant. For automatic distributions, use a Streaming or Vesting contract (like Sablier or Superfluid) to drip funds over time, reducing sell pressure and rewarding long-term holders.
Key operational risks include oracle dependencies and governance attack vectors. If distribution amounts depend on external revenue data (e.g., fee totals from a DEX), you need a secure oracle like Chainlink to feed this data on-chain. Governance proposals to change distribution parameters or withdraw funds must have high quorums and timelocks (e.g., a 48-hour delay) to prevent sudden, malicious changes. All contracts should be audited by reputable firms like OpenZeppelin or Trail of Bits, and consider a bug bounty program on Immunefi for ongoing security.
For sustainable operations, design the treasury to be gas-efficient and composable. Use ERC-20 permit functionality to allow users to approve claims in a single transaction, or deploy contracts on Layer 2s like Arbitrum or Optimism to reduce claim costs by over 90%. The architecture should also allow for future upgrades via a transparent proxy pattern (like UUPS), where upgrade authority rests with the DAO multisig. Document all processes—from revenue aggregation to claim execution—in public DAO handbooks to ensure operational clarity and community trust.
TREASURY ARCHITECTURE
Tax and Regulatory Implications
Designing a treasury for revenue sharing introduces significant tax and compliance considerations. This guide addresses common developer questions on structuring distributions, handling different token types, and navigating jurisdictional complexities.
The tax treatment of distributions depends heavily on the asset type. Distributing stablecoins like USDC is typically treated as ordinary income to the recipient at its fair market value (FMV) on the distribution date. For the treasury, this is often a non-deductible expense.
Distributing project's native tokens is more complex. In many jurisdictions, this may be considered a taxable event for the treasury, creating a capital gain or loss based on the token's cost basis versus its FMV. For the holder, receiving new tokens could be taxable income. Using a vesting schedule can defer tax liability for recipients until tokens are unlocked. Always model both the corporate and holder tax impact.
resource-links
ARCHITECTURE
Implementation Resources and Tools
Practical tools and contract patterns used to implement onchain treasuries that distribute protocol revenue to token holders. Each resource maps to a concrete architectural decision developers must make.
conclusion-next-steps
IMPLEMENTATION ROADMAP
Conclusion and Next Steps
You now have the architectural blueprint for a secure, transparent, and efficient on-chain treasury for revenue sharing. The next steps involve deployment, testing, and community engagement.
This guide outlined a modular architecture for a holder treasury. The core components are a revenue router (like a FeeCollector), a treasury vault (a secure, multi-signature Gnosis Safe), and a distribution mechanism (a Merkle-based airdropper or a staking contract). You should have a clear separation of concerns: one contract collects fees, another holds them securely, and a third handles the logic for pro-rata distribution to token holders. This design minimizes attack surfaces and allows for independent upgrades.
Before mainnet deployment, rigorous testing is non-negotiable. Use a framework like Foundry or Hardhat to write comprehensive unit and integration tests. Simulate key scenarios: fee collection from multiple sources, admin key rotation for the vault, and the full distribution cycle. Conduct audits on a testnet like Sepolia or Goerli, and consider a formal security audit from a reputable firm before launching with significant value. Tools like Slither or Mythril can provide initial automated analysis.
Your choice of distribution model has significant implications. A staking-based model with a StakingRewards contract encourages long-term holding but requires continuous emissions management. A retroactive airdrop using a Merkle distributor is gas-efficient for holders but requires off-chain calculation for each epoch. Evaluate your tokenomics: is the goal to reward active participants or all holders? The Sablier or Superfluid streams can be integrated for real-time, continuous distributions, enhancing the user experience.
Next, establish transparent governance and communication. Use Snapshot for off-chain signaling on treasury parameters like distribution frequency or eligible revenue streams. All on-chain actions—like initiating a distribution—should be executable only via a DAO vote executed through a SafeSnap module. Publish treasury addresses and transaction histories on a block explorer. Consider a dedicated dashboard using The Graph for subgraph data or Dune Analytics for customizable reporting to build holder trust.
Finally, plan for evolution. Start with a simple, audited version of the architecture described. As the treasury grows, you may need to implement yield strategies via DeFi protocols (e.g., depositing stablecoins into Aave or Compound) or explore cross-chain distributions using a layer-zero protocol like LayerZero or Axelar. The modular design allows you to swap components, like upgrading the distributor or adding new revenue routers, without a full system overhaul.