Mark Zuckerberg Could Teach DAOs Like Compound a Governance Lesson

11/25/2024 04:39
Mark Zuckerberg Could Teach DAOs Like Compound a Governance Lesson

Meta's Mark Zuckerberg Could Teach DAOs Like Compound a Governance Lesson

A $24M "governance attack" led by a whale known as Humpy shows the flaws of a "one token, one vote" system, says security audit firm OpenZeppelin.

Updated Nov 20, 2024, 4:31 p.m. Published Nov 20, 2024, 7:33 a.m.

  • DAO governance needs a re-think, and shares should have a multi-classed structure similar to Meta and other Silicon Valley giants, says security firm OpenZeppelin.
  • Such a change would help prevent governance attacks, like the one carried out last summer against Compound, says Michael Lewellen, OpenZeppelin's head of solutions architecture.

BANGKOK – It's all but impossible to carry out a governance attack against Meta.

Shareholder activism is a non-starter in Mark Zuckerberg's empire, because the company's dual-class share structure – where insider-held Class-B shares have more voting weight than Class-A shares available to the public – means he maintains roughly 58% voting control of the company.

But in the world of decentralized autonomous organizations (DAOs), which are in many ways analogous to corporations, it's one vote for one token.

That is how a whale – a large token holder – who goes by the handle Humpy and his "GoldenBoys," an affiliate group directed by Humpy or perhaps Humpy himself, ran what some called a "governance attack" against the lending protocol Compound in July.

They used their collective voting might to allocate $24 million worth of COMP tokens into a yield-bearing protocol called goldCOMP, controlled by them, to generate passive income for token holders.

This month, a court filing by the FTX estate appeared to "dox" – or name – Humpy and accused him of having ties to criminal networks. Nawaaz Mohammad Meerun, the person allegedly behind the alias, denied the accusations of criminal connections in a statement to CoinDesk.

Although some described the "attack" as a consequence of voter apathy, OpenZeppelin, a security audit firm that Compoud's DAO has an engagement with, and an active participant on the DAO's governance forum, sees things differently.

In an interview with CoinDesk at the sidelines of Devcon last week, Michael Lewellen, OpenZeppelin's head of solutions architecture, described what Humpy did as an exploit on the model itself.

"Governance models that are token holder-dominant, where there are no checks on token holders in any meaningful sense, are ultimately all susceptible to this. It’s just a question of when," he said.

In Lewellen's mind, while decentralization is critical for blockchain technology, one that ensures trustlessness and security, it's a challenge for governance.

“Decentralization is like an objective good, but it’s not a good in governance the same way it’s a good in blockchain," he said. "More voices in that discussion aren’t necessarily better if a lot of those voices are not aligned with the DAO and are not informed.”

Know-your-customer (KYC) initiatives are part of the future of DAO governance, Lewellen says, and the industry needs to figure out how to authenticate participants to introduce accountability without compromising privacy.

“There should be a way to verify this is a real person, and they’re not pretending to be others. For instance, zero-knowledge cryptography can help verify identities without exposing personal information,” he said.

Such measures would also prevent actors like Humpy from creating multiple delegate profiles to manipulate governance.

“If someone has significant governing power, they should be upfront about it,” Lewellen argued. “People should have the chance to recognize exactly what sort of influence they have and have the ability to counter it if necessary.”

And to prepare for another "Humpy," DAOs need to engage in wargaming exercises.

“Threat modeling for worst-case scenarios should be a standard practice,” Lewellin said. “Teams need real answers to questions like: What if a malicious actor acquires significant voting power? How do we respond on-chain?”

Apathy remains a significant challenge in DAO governance, with voter participation often low, showing a need to incentivize good civic behavior. Somehow, DAOs need to adopt governance models that ensure critical decisions – especially those involving user funds and protocol security – are handled with care and expertise, rather than left solely to those holding the most tokens.

“We need to give token holders reasons to be responsible stewards of the protocol,” Lewellen said. "By rewarding participation, we can ensure that governance decisions are made by informed and engaged stakeholders.”

In an ideal world, DAOs that handle billions of dollars would structure their governance more like Meta and less like their current iteration, Lewellen said.

"We need governance systems that reflect this reality, systems that balance decentralization with safeguards to ensure long-term sustainability.”

UPDATE (Nov. 20, 2024, 16:30 UTC): Replaces photo; edits throughout for clarity.

Sam Reynolds

Sam Reynolds is a senior reporter based in Taipei. Sam was part of the CoinDesk team that won the 2023 Gerald Loeb award in the breaking news category for coverage of FTX's collapse. Prior to CoinDesk, he was a reporter with Blockworks and a semiconductor analyst with IDC.

X icon

Sam Reynolds

Read more --->