? Governance Internals

How DeFi governance actually executes a decision

A governance proposal in a Compound-style DAO - the template that Uniswap, Aave, Compound, and most Governor Bravo clones follow - moves through five steps. First, a delegate with enough proposal-threshold voting power (100k UNI, 25k COMP, 80k AAVE) calls propose with a calldata bundle: the target contracts, values, function signatures, and arguments that the vote will execute if it passes. Second, a voting-delay window (typically 1-2 days) elapses before voting opens, so the community can read and debate the proposal. Third, the voting window (5-7 days on most DAOs) runs - each voter's weight is the token balance they had delegated as of the proposal's snapshot block, which prevents flash-loan attacks on the vote itself.

Fourth, if the 'for' vote count clears the quorum threshold (400k COMP on Compound, 40M UNI on Uniswap, 320k AAVE on Aave) and 'for' exceeds 'against', anyone can call queue to push the proposal into the Timelock. Fifth, after the Timelock delay elapses (2 days on Compound/Uniswap, 7+ days on Aave depending on the short vs long executor) anyone can call execute, which fires the encoded calldata atomically through the Timelock's executeTransaction. The Timelock is the only address authorized to modify protocol parameters, so the entire chain of trust reduces to 'the Timelock only fires what governance voted for, delayed by T'.

MakerDAO is the main exception. Core MakerDAO ran continuous approval voting: any MKR holder could simultaneously approve multiple 'spell' contracts, and the Chief contract tracked which spell had the most MKR approval at any moment. Sensitive operations (adding collateral, changing DSR, adjusting debt ceilings) passed through the Governance Security Module (GSM), which enforced a minimum delay of 30 hours - or longer for emergency vs normal executives - before the spell could fire. Under the 2024 Sky Endgame refactor, SubDAOs now govern their own scopes with token-voting rails, but the GSM delay pattern persists for the core collateral and DSR surface, which is why Maker's security posture has historically been stronger than pure-Governor-Bravo DAOs.

Key concepts

Quorum and proposal threshold

Quorum is the minimum 'for' vote count for a proposal to pass; proposal threshold is the minimum voting power a delegate needs to submit a proposal at all. Compound uses 400k COMP quorum and a 25k COMP proposal threshold; Uniswap uses 40M UNI quorum and 2.5M UNI proposal threshold; Aave uses a 320k AAVE quorum for level-1 executors. The ratio of active turnout to quorum is the single best metric for governance-attack risk - a DAO where the average passed proposal beats quorum by only 20% can be captured by any actor who can borrow or accumulate 20% more tokens for one block.

Timelock and GSM delay

The Timelock contract enforces a mandatory delay between a proposal passing and executing. Compound and Uniswap use 2-day Timelocks; Aave ships separate 'short' (1-day) and 'long' (7-day) executors for different risk tiers; MakerDAO's GSM enforces a 30-hour minimum for normal executives and longer for sensitive actions. The delay is the defense against governance-capture attacks - it converts a silent exploit into a public emergency that humans can intervene on.

Delegation

Holders call delegate(address) to assign voting weight to themselves or a delegate (a16z, StableLab, Gauntlet, PGov, Chaos Labs are the most-delegated-to professional delegates across major DAOs). The Governor reads each address's delegated balance as of the proposal's snapshot block, so flash-loaning tokens into a vote does not work. In practice delegation is heavily concentrated: in most major DAOs the top 10 delegates hold more voting weight than all non-delegating holders combined.

Governance capture vs bribery

Capture is accumulating enough voting weight to pass a malicious proposal outright - Beanstalk 2022 ($182M) is the canonical example, executed via a flash loan on BEAN3CRV-f that bypassed Beanstalk's single-block voting logic. Bribery is paying existing voters to vote a specific way, and it is a legitimate, recurring economy on Curve gauge votes (Votium, Hidden Hand) where protocols pay $0.50-$1.50 per $1 of CRV emissions directed. Timelocks and snapshot-based voting defeat capture; only structural choices like veTokenomics deter bribery.

veTokenomics

Vote-escrowed tokens (veCRV, veBAL, veFXS) require holders to lock tokens for up to 4 years in exchange for voting power that decays linearly as the lock approaches expiry. This binds voters to long-term economic exposure and makes one-block voter renting infeasible. The tradeoff is that veTokenomics creates meta-governance layers - Convex holds ~50% of veCRV as of April 2026 - that can concentrate power in aggregator contracts rather than across the original token holder base.

Risk stewards and emergency pause

Modern DAOs delegate narrow operational parameters to risk steward multisigs that can pause markets, adjust LTVs, or disable specific reserves without a full governance vote. Aave's RiskStewards (Gauntlet + Chaos Labs) can update CAPS and LTs within a governance-approved envelope; Compound v3 uses an emergency-pause guardian. These layers are a deliberate admission that full on-chain votes are too slow for incident response, and they trade some decentralization for the ability to react to an oracle exploit or a depeg within hours rather than days.

Why governance matters

As of April 2026, the most active DAOs by proposal throughput are Arbitrum, MakerDAO / Sky, Aave, Uniswap, and Compound. The decisions these DAOs make - fee-switch activations, collateral listings, cross-chain deployments, stablecoin facilitator approvals - routinely move billions of dollars in TVL and set the risk parameters that determine whether users get liquidated or kept solvent during market stress. Governance is not ceremonial; it is the real control plane of DeFi, and the governance design decides whether that control plane is robust to an adversary with a flash loan and a proposal bundle.

The governance-attack surface is not 'decentralization benefits' marketing - it is a concrete set of failure modes: governance capture (Beanstalk, 2022, $182M drained in a single proposal execution), low-quorum exploits (any DAO where turnout barely beats quorum is one coordinated buy away from a malicious upgrade), timelock bypasses (Maker's GSM delay exists precisely because historical MKR-voting anomalies made pure continuous-approval risky for core collateral parameters), delegate collusion (two or three top delegates can routinely pass or block any proposal in most Governor Bravo DAOs), and bribery-market imbalances (Convex's dominance of veCRV means a minority of original CRV lockers no longer set Curve's gauge emissions). Understanding quorum math, timelock delays, delegation concentration, and veTokenomics is therefore the frame for understanding which DAO governance decisions are actually binding versus which are theater over a multisig's decision.

Frequently asked questions

How do Compound, Uniswap, and MakerDAO differ in governance design?

Compound Governor Bravo uses delegated 1-token-1-vote COMP with a 2-day voting window, a 400,000-COMP quorum (about 4% of circulating), and a 2-day Timelock. Uniswap's Governor Bravo clone uses UNI with a 40M-UNI quorum (4% of circulating), a 7-day voting window, and a 2-day Timelock. MakerDAO historically ran MKR executive votes through continuous approval voting - whichever 'spell' contract had the most MKR approving it at any moment was the active executive - backed by a Chief contract and a per-spell GSM pause delay of 30 hours or more for sensitive actions. Under Sky's 2024 Endgame refactor the pattern moved toward discrete SubDAOs with their own token-voting rails, but the continuous-approval primitive and the GSM delay are still how the core Maker protocol is governed.

What is a governance timelock and why does every serious protocol use one?

A timelock is a contract between the governance vote and the executing code: a passed proposal is queued, a mandatory delay (2 days on Compound and Uniswap, 30 hours minimum on MakerDAO's GSM, 7 days on many Safe-managed treasuries) must elapse, and only then can the proposal be executed. The delay exists because token-voting is not sybil-resistant - if an attacker accumulates enough tokens via flash loan, borrow, or OTC accumulation to pass a malicious proposal, the timelock buys defenders time to (a) publicly raise the alarm, (b) rally opposing voters to queue an override, (c) escape funds from at-risk positions, or (d) trigger an emergency pause. Beanstalk's 2022 governance-capture exploit is the archetype of what happens without a timelock: $182M drained in the same transaction as the proposal passed.

What is quorum and why does a low quorum make a protocol exploitable?

Quorum is the minimum 'for' vote count that a proposal must reach for the vote to be valid. On Compound it is 400,000 COMP, on Uniswap 40M UNI, on Aave 320k AAVE. Quorum matters because the attack surface of a DAO is inversely proportional to its active voter turnout: if the average proposal passes with 5M tokens of participation but the quorum is only 4M tokens, any actor who can borrow or assemble 4M+1 tokens for a single block can pass arbitrary code through the timelock. Low-quorum exploits are the reason MakerDAO's GSM keeps a multi-day delay on any executive that touches DAI collateral parameters, and why Aave's RiskStewards layer can pause specific reserve parameters without a full governance vote.

How does delegation actually work and how concentrated is voting power in practice?

In Compound-style governance, each token holder calls delegate(address) to assign their voting power to a delegate; the delegate can be themselves. The Governor contract then reads the delegated balance as of the proposal's block number to compute voting weight, preventing flash-loan attacks on the vote itself. In practice, delegation is extremely concentrated: across Uniswap, Compound, and Aave, the top 10 delegates consistently hold more voting power than the entire long tail combined, and proposals frequently pass or fail on the vote of a single top-five delegate (a16z, StableLab, Gauntlet, PGov, Chaos Labs). This concentration is why governance-attack-surface analyses focus on 'can this proposal be passed by the top 3 delegates alone' as a key risk metric.

What is a governance-capture attack and how is it different from a bribery attack?

Governance capture is an attacker accumulating enough voting power (directly, via flash loan, or by aggregating delegations) to pass a proposal that drains the protocol - Beanstalk 2022 is the canonical example where an attacker flash-loaned ~$1B in BEAN3CRV-f LP tokens to push through a malicious emergency commit. Bribery is paying existing voters to vote a specific way: Curve's gauge weight bribes on Votium and the Convex stkCVX market are a legitimate bribery economy where protocols pay voters $0.50-$1.50 per $1 of CRV emissions directed. The distinction matters because timelocks and flash-loan-resistant snapshots defeat capture, but they don't defeat bribery - bribery operates inside the normal voting window and is only deterred by delegate reputation and by structural choices like veTokenomics that bind voters to long-term lockups.

How does veTokenomics change the governance-attack surface compared to 1-token-1-vote?

In 1-token-1-vote systems, voting power is liquid - a voter can sell the token the day after a vote. In veTokenomics (Curve veCRV, Balancer veBAL, Frax veFXS), the voter locks tokens for a defined period (up to 4 years on Curve) and receives voting power that decays linearly to zero as the lock approaches expiry. This means a bribery attacker cannot cheaply rent voting power for one vote; they must either buy existing veTokens (non-transferable on Curve, wrapped via Convex) or lock fresh tokens for years. The tradeoff is that veTokenomics turns governance into an arms race around lock depth and bribe-market efficiency - Convex holds ~50% of all veCRV as of April 2026 because it captured the bribe liquidity first, which concentrates power in one smart-contract layer rather than across the token holder base.

As of April 2026, which DAOs have active governance and what are they deciding?

As of April 2026, the most active DAOs by proposal throughput are Arbitrum (grants, treasury allocations, AIP upgrades), MakerDAO / Sky (collateral onboarding, rate-setting, Endgame SubDAO launches), Aave (RiskStewards parameter updates, new chain deployments, GHO facilitator approvals), Uniswap (fee-switch negotiations, v4 hook allow-lists), and Compound (market parameter updates, new collateral types). Across all of them, the persistent debate themes are (a) the fee-switch question - whether to activate protocol revenue sharing to tokenholders at the risk of triggering securities-law treatment - and (b) the concentration question - how to structure delegation so that top delegates remain accountable without centralizing into a de facto multisig.

Related reading

• On-chain voting mechanics - step through the Governor Bravo proposal lifecycle from propose -> queue -> execute, and see why snapshot blocks defeat flash-loan vote attacks.
• Delegation and delegate concentration - visualize the voting-power distribution across a16z, StableLab, Gauntlet, and the long tail on Uniswap, Aave, and Compound.
• veTokenomics deep dive - lock-weighted voting, linear decay, and how Convex ended up holding roughly half of veCRV's voting power.
• MakerDAO governance - executive spells, the GSM delay, and how the Sky Endgame restructured DAI/USDS governance into SubDAOs.
• Compound governance - Governor Bravo, the 400k COMP quorum, and how Comet's risk-parameter updates actually reach the protocol.