Rethinking the crux of Defi protocol governance
Following the Steem incident, Justin Sun, a subject of heated conversation in the cryptocurrency world, was again caught up in allegations of governance attacks earlier this year. As the founder of the Tron public chain, a capital predator with over $1 billion in crypto assets, Sun’s on-chain address was widely tracked by crypto sleuths.
In January 2022, on-chain records show that an address suspected to belong to Sun Yuchen borrowed a large amount of $MKR from AAVE and proposed creating a DAI-TUSD pair within the community to support a fixed 1:1 exchange rate between the two. In March, another address suspected to belong to Sun Yuchen borrowed a large amount of $COMP from Compound, worth about $13 million, and transfer it to Binance, and a new address received about $9 million worth of $COMP from Binance soon after. The address used these $COMP to propose adding TUSD as pledged assets on Compound, which was ultimately rejected by a widely attended community vote.
While both proposals ended in failure but sparked an industry debate about DeFi’s governance. Some argue that it is unacceptable for the capital predator to use their “money power” to influence governance decisions directly and that DeFi governance should not be reduced to money politics; others argue that Sun Yunchen acted in full compliance with governance rules and that the capital predator used their financial resources to compete for access to assets in DeFi, helping to raise the price of governance token, which in turn will motivate more people and more money to participate, so what’s not to like?
Those who hold the latter view cite the success of the Curve protocol’s liquidity incentives as their main argument. As a stablecoin-focused AMM trading market, Curve created a liquidity incentive that offered different levels of $CRV rewards to liquidity providers for different pairs, depending on the percentage of votes each pair received in the governance vote. This mechanism triggered a fierce competition among stablecoin projects in the governance vote, known as the “Curve War”. Stablecoin projects tried their best to get more votes in order to gain more liquidity.
Since 2020, the Curve Protocol has been implementing such liquidity incentives, which has made the Curve Protocol a huge success. The Curve War drives up the price of $CRV, which stimulates more money to provide liquidity to the Curve Protocol, and the increase in liquidity further inflames the Curve War, a perfect flywheel effect!
No one thought Curve’s governance was kidnapped by money politics, but a genius project emerged from Curve War to find a loophole in the rules: Mochi Protocol.
Perhaps inspired by the Curve War flywheel effect, Mochi Protocol is planning to start its own flywheel effect. Mochi Protocol uses its governance token $Mochi INU to stimulate the liquidity of its USDM stablecoin in Curve. It uses a large amount of $Mochi INU to a vacuum casting of USDM in a large number that is then exchanged for DAI, and uses the DAI to buy a large amount of CVX (Convex Protocol’s governance token, which holds a large amount of CRV votes) to further compete for liquidity, and continues to leverage this liquidity to exchange USDM for DAI and then buy $CVX, and move this in circles. When USDM liquidity reaches $100 million, Mochi Protocol begins to cash out and run, depleting the liquidity and rendering the USDM hook ineffective, completing the “harvesting” of the liquidity provider’s funds.
At this point, you may be ambivalent about the politics of money in DeFi’s governance, which on the one hand may bring success to the protocol. on the other hand, may pose the risk of governance attacks and capital predator manipulation. Without a different perspective, it is difficult to look beyond our intuition of money politics and see the real issues in DeFi governance.
The Real Problem in DeFi Governance
Paka Labs believes that there are two key problems with the current governance mechanism of DeFi.
One, Governance Lever
The problem is that the $COMP and $MKR that address (which is suspected belong to Sun YunChen) used to participate in governance came from borrowing, not from the long-term asset holdings. If that address is adding some kind of highly controlled assets to the agreement, it is entirely possible for that address owner to use the agreement as his ATM by “banknote printing” and the owner has little downside risk at $COMP or $MKR, which is inconsistent with the principle of incentive compatibility. It still needs to provide the collateral if the address suspected to belong to Sun YunChen wants to use decentralized lending agreements to borrow governance tokens. In fact, if the borrower does not have sufficient collateral assets, he can also borrow governance tokens from others by issuing bond derivatives.
In the case of Curve War, there was a lot of bribery, with Curve War projects offering a meager incentive for others to vote as projects’ wished. (Of course, the “meager” here is in contrast to their direct purchase of these votes which will be much more expensive. (Bribes also include financial incentives to get others to delegate their votes to the specific subjects, which did not occur in Curve War because there is no delegation mechanism in Curve’s governance)
Borrowing votes and vote-buying provide leverage to governance participants, making a disproportion between the voting rights they gat and the responsibilities they are required to assume.
In addition, many DeFi protocols, where governance participation is so low that a very low percentage of votes can determine important matters involving significant funds or resources, are levers inborn. Solend, for example, made a staggering decision to take over hundreds of millions of dollars of assets of a capital predator with only a few hundred thousand dollars of voting rights. It was repealed by a new proposal due to strong opposition from the community.
In short, there is financial leverage in the governance voting process, which is an important issue that really threatens the fairness and security of governance.
Second, “open goal”
DeFi’s governance is more complicated than other types of DAO governance because DeFi has more resources than just the funds in the protocol Treasure, and even more than the funds in TVL (in fact, the ownership of the funds in TVL does not belong to the DeFi protocol itself, this is why Solend’s takeover of the account of the capital predators) was so controversial), and the most critical resources for the DeFi protocol are often non-financial resources, for example,
- Whitelist of collateral assets in lending protocols
- Liquidity resources in DEX
The allocation of non-financial resources of the protocol by governance votes cannot be understood as a simple governance activity, but rather as an activity of resource sale. From this perspective, Curve War can be understood as an auction of the liquidity resources of Curve. Since it is not political, there is no such thing as money politics. (The governance token carries the power to allocate valuable resources, which is why prices continued to rise wildly after Compound officially declared that $COMP had no financial value. Smart money realized this long ago!)
The real link that leads to risk is that this is an”open goal”, no one guard access to the assets. Let’s make a comparison with the process of cryptocurrency public onto CEX. If a Web3 project wants to be listed on a CEX, it needs to pay a listing fee mostly and reference checks will be done by the CEX, and if the reference checks fail, the token will not be listed. Some CEX would probably not adopt a “money is on the table” listing policy. Many DeFi protocols, however, do not have any risk control measures for asset access. This analogy is not entirely apt, but it illustrates the point.
While community members can spontaneously keep an eye out for governance proposals, they can also mobilize more members to veto proposals that add malicious assets against them, as Compound and MakerDAO did to veto the proposal suspected from Sun Yunchen. But such spontaneous monitoring behaviors by community members, lacking accountability and expertise, are enough, and there are always some “Big and Little Fishs” that can swoop this situation, such as the governance attack on Build Finance that was unobtrusively passed by a handful of votes controlled by attackers without the community noticing. This brought the vault assets to almost zero, leaving Build Finance in a state of total defeat and hard to reverse.
In order to safeguard the funds of DeFi participants, we need a more rigorous asset access vetting mechanism
How do we remove the levers of governance?
We need to crack each of them against each means of enabling governance leverage.
Defending against Vote Borrowing: Lock-up in exchange for Governance ights
First, vote borrowing is relatively easy to defend against. Both time-weighted voting and reputation-based voting can reduce the impact of vote borrowing. In fact, Curve’s governance already uses time-weighted voting. Curve’s governance right is achieved by voting with veCRV, not CRV, which could be obtained by locking up CRV. The longer the lock-up period, the more veCRV you get, for example, 4 years for 1 veCRV and 1 year for 0.25 veCRV.
There are two key points here, one, veCRV cannot be transferred. The reason why users can lend veCRV to Convex, StakeDAO, or Yearn Finance in Curve War is because of that Curve has a whitelist for a few subjects. Second, the number of veCRV decays linearly as the locked $CRV gradually approaches its expiration time. To maintain their voting right, users need to reset the time for lock-up.
The locking mechanism prevents anyone from obtaining a large number of votes by borrowing votes for a short period of time. If one wants to gain more votes, one must borrow for a longer period of time, which imposes a significant cost on the borrower.
We think it is likely that the mainstream DeFi protocols will evolve towards a time-weighted mechanism similar to Curve in the future, or towards a more complex reputation-based voting mechanism, and more and more nascent protocols will tend to move away from the 1T1V mechanism.
Defending against Vote-Buying: privacy technologies may promise for it
Vote-buying is a relatively difficult one.
While vote-buying exists in realpolitik, but not a common practice. After a voter throws his or her ballot into the box, there is no way for a third party to know which option the voter voted for, and it is even difficult for the voter to provide reliable evidence to prove he or she voted for a particular option, leaving no credible basis for vote-buying.
While for on-chain vote-buying, information is highly visible and easy to verify for the bribers and the information about the identity of the subjects involved in the vote-buying can be hidden and difficult to trace. This is an almost perfect ground for building a vote-buying market. In Curve War, it is a common practice for projects, and there are even some vote-buying service platforms have been built where users can be rewarded with tokens in exchange for their votes.
https://bribe.crv.finance/ (veCRV vote-buying platform)
https://votium.app/ (vlCVX vote-buying platform)
Bride Protocol is even more blatant in its claim to be a universal vote-buying platform, under the banner of “helping DAOs increase governance participation rate” and “helping governance tokens holders catch governance value”, with the intention of making “vote-buying” a neutral term in the DeFi governance context. It is true that vote-buying can increase the governance participation rate. But the false high participation rate is certainly not what the DeFi protocol wants to see.
Theoretically, the protocol could actively shield votes from vote-buying platforms, depriving bribe votes of their voting power, but this is based on the public availability of information about the vote-buying platform. If the vote-buying platform runs on private servers or is developed with privacy technologies on the chain, the active shield function becomes incapable.
So can we build a governance system where voting information is not visible? For example, using privacy technologies so that individual users’ voting information is not visible on the chain and only verifiable final vote results are visible. More than that users who vote cannot show credible proof to the vote-bribers of which option they voted for or to whom they delegated their votes. This is a throwaway idea that we hope to discuss and explore together.
It is important to note that even the most perfect technology cannot eliminate vote-buying completely. For example, vote-buying transactions that rely on acquaintances are difficult to observe. We can prevent vote-buying from becoming an effective market, so that to protect DeFi governance far to alienated by widespread vote-buying behavior.
Increasing Governance Participation Rate: Governance Political Parties and Governance Incentives
Even some of the benchmark DeFi protocols may without high governance participation rates, for example, only about 5% participation rate for Compound’s governance, which stimulus someone to capture the benefits of the protocols by controlling voting rights. Low turnout also motivates some protocols to achieve greater leverage through indirect governance, as detailed in Fei-Index-Aave’s operation.
From the perspective of democracy, projects always tries to get more people participate the voting process, but from the perspective of protocol governance security, the goal should be motivate as much as possible community members to complete the vote beavior among whole governance process. Sowe can find a new way for governance — — —protocol political parties.
While some protocols have already allowed people to delegate governance tokens to others to indirectly participate in governance. But such mechanisms have been hampered by a number of factors that have prevented significant increases in governance participation.
- Unless you are deeply involved in the community and know who the active contributors are and their propensity to vote on governance, you still don’t know the right people to delegate votes to.
- Voters who are delegated are inconsistent in their activity and no one asks them to do like that, leaving a portion of the vote dormant for long periods of time.
- There are always no rewards for participation in governance, which makes token holders prefer to stake/lock their tokens in DeFi to abtain interests.
Protocol parties promise to take the responsibility to get the vote of community members, and they hire experts to scrutinize each decision to do so.
In order for a party to have an incentive to participate responsibly in governance, and for token holders to have an incentive to entrust their votes to a party, protocols need to provide sufficient incentives to the participants in governance. The presence of a governance incentive is equivalent to taxing those who do not participate in governance and helps to “awaken” the “dormant” vote.
The governance incentive is divided into two parts, one is the reward for locking the governance tokens, somewhat like the staking reward in the PoS public chain, and the other part is the reward for voting behavior, such as the number of rewards depends on the how many times vote. The reward could be from inflationary or protocol profit.
One point to note here is that the party should not issue its own governance token, otherwise it will create opportunities for nesting-type leveraged governance similar to Fei-Index-Aave. Even if the party issues a governance token, it should not directly decide the voting of its proxy votes through its own governance voting process, but should appoint a professional committee to make voting decisions.
Currently, WildFireDAO has been created as a protocol political party and is actively involved in the governance of multiple protocols. Rabbithole has created its own governance committee as well to participate in the governance voting process of the protocols for which it holds governance tokens.
How to set up a gatekeeper mechanism?
After the governance attack on Mochi, Curve outlawed Mochi Protocol competing for liquidity. However, we need an ex-ante asset access link to ward off fraud and better protect DeFi participants’ funds than an ex-post “asset retirement”.
As mentioned before, in the current asset access mechanism of most DeFi, if you have enough money, you can get enough votes and thus put any asset you want to add into a DeFi — — — either as collateral for a lending protocol, as a reserve asset for a stablecoin, or be allowed to join a specific trading pair — — — which brings the governance attacks risk. By removing governance leverage, we can make it more expensive for attackers to gain voting rights, but beyond that, DeFi protocols should have a gatekeeping mechanism that serves as the ultimate security barrier against malicious asset additions.
It is inappropriate to have numerous token holders vetting access to assets. Otherwise, it comes back to the problem that voting rights may be captured by attackers for a short period of time to execute reference checks, and it is unlikely that voters will all bother to do responsible background checks on assets. A viable approach is for voters to develop vetting criteria and appoint a risk control team to do reference checks and decide whether to release those assets.
It is important to note that once the criteria are set, the review committee does not have the power to release assets that do not meet the criteria or to prevent assets that do meet the criteria from being added, otherwise the agreement can be removed or changed by a governance vote of the committee members. Of course, the audit criteria are, after all, just a few paragraphs, and in practice there must be discretionary power for the audit committee. Nevertheless, the criteria should be as clear as possible (e.g., a table to assess the decentralization of an asset) to reduce the possibility of fraud or bribery of the audit committee members. This is like the separation of the legislative and judicial branches in realpolitik.
In fact, in Compound, SushiSwap, there is a structure similar to the “Senate”, which has the power to veto all governance proposals, even those with a large number of votes. In practice, the Senate has also taken on the role of asset access vetting, vetoing proposals for malicious assets to be added. However, the mechanism is also controversial: proponents argue that the power of the Senate and the power of the governance vote can check each other and achieve a bicameral structure similar to that in democracy, while opponents argue that the Senate, which can veto all proposals, could well become the dictator of the agreement.
We see two central joints here.
- The scope of the Senate’s authority, whether it has other powers besides proposal veto, for instance, in some governance structures, the Senate also has the authority to suspend protocol, initiate emergency proposals, etc. In some early development DeFi protocols, the Senate has all superpowers to update the code at any time. The different scope of authority determines the nature of the Senate — dictator, or gatekeeper. However, for DeFi, which is at a relatively early stage of development, the code is not yet mature and the economic system is not yet validated, so it is not a good idea to have a dictator as a gatekeeper.
- Whetherelection and removal of members of the Senate are decided by a governance vote or not determines whether the senate is an independently existing power entity or just a surrogate of power authorized by the governance vote.
In summary, we believe it is necessary to have a committee empowered and overseen by the governance vote to be responsible for asset auditing, either as a separate department or could be held by a “senate” of agreement.
As DeFi has evolved, part of the protocol has become one of Web3 infrastructures with the attributes of a public good. Their basic responsibility is to protect the financial security of participants which is the baseline of DeFi’s development. There are two major risk factors, one is the potential for governance powers to be amplified by financial leverage, leading to power and responsibility inequitable governance, and the other is the lack of a reliable asset access vetting process.
This paper provides several approaches to eliminate governance leverage, among which lock-up mechanisms to defend against vote borrowing have been widely used, and parties and incentives to increase governance participation rate are being practiced one after another. Only vote-buying remains a thorny problem. For the vote-buying problem, privacy technology Is one of the options to prevent it, but the technical threshold is too high and thus can not be realized in the short term. Furthermore, the gatekeeper mechanism, which is to delegate a risk control team to investigate and vet assets that will be added to DeFi according to established principles, is also a good choice to do. However, there may a more sophisticated mode to address those types governance issues in a near future.