At DAO DAO, we pride ourselves on a good security culture. Our contracts have been audited, have industry-leading test coverage, and are battle tested across a variety of high-value DAOs.
DAO DAO contracts provide a level of security acceptable for even highly risk-sensitive use cases. However, good smart contracts cannot prevent bad things from happening. It is possible to misconfigure your DAO, for example, making it impossible to pass proposals. Also, we live in an unexpected and uncontrollable world. Fortunately, through proper DAO configuration, the risks associated with running a DAO can be reduced to a reasonable minimum.
This document provides some advice on how to structure your DAO in a way that keeps your DAO secure. It is merely a guide, and we encourage anyone launching a DAO to do their own research and to think deeply about their use case and the particular risks those use cases might raise.
REMEMBER: DAO DAO is open source software, which you use at your own risk! Be careful, and please read our disclaimer.
Choosing a structure
Your DAO structure determines who has voting power in your DAO.
There are three main types of DAOs supported by DAO DAO at the moment:
- Membership
- NFT
- Token-based
Each has tradeoffs. It is important to understand how voting power works to figure out how to best protect your DAO. It is possible to convert one type of DAO to another, though it does require a great deal of thought.
Membership DAOs
Membership DAOs (a.k.a. multisigs) are the simplest form of DAOs and as such we recommend them for most new DAOs.
Membership DAOs consist of members and their respective voting weights. There can be as few as one or as many as hundreds of thousands of members!
The addition and removal of members have to be voted on by the DAO. Membership can never be traded. Having a fixed membership controlled by the DAO makes them easier to reason about in terms of security.
We think Membership DAOs are a great way for communities to get started, without the need to think about tokenomics, etc.
Importantly, Membership DAOs can be converted to other types of DAOs should the need arise and after careful thought.
Token-based DAOs
Token-based DAOs are based around token ownership (NFT, CW20, etc.), more specifically staked token ownership. To join the DAO a member must stake their tokens in the DAO to gain voting power based on the number of tokens they own. To leave a DAO, an account simply unstakes its tokens and waits for a configurable unbonding period.
In DAO DAO, you are only able to vote on proposals if you had tokens staked when the proposal was created.
DAO DAO supports two types of token-based DAOs:
- NFT-based DAOs
- Native or CW20 token-based DAOs
Both can be used to introduce incentive mechanisms and more fluid DAO membership. While these are very useful primitives, they do introduce new risks that aren’t present in membership-based DAOs. Specifically, the membership of these DAOs is fluid rather than fixed.
Due to their fluid membership, as well as in some cases the ability to purchase tokens on secondary markets, token-based DAOs need to pay extra close attention to their voting settings and security policies. This is especially true if the token for the DAO is available for purchase via secondary markets.
Voting Settings Considerations
There are a number of crucial voting settings you should pay attention to when creating your DAO.
Proposal Submission Policy
DAO DAO supports optional open submission policies that allow anyone to submit a proposal. This means that anyone can submit a proposal, which may result in social engineering attacks in which a malicious proposal comes to a vote.
We recommend only using this setting with SubDAOs so that any malicious proposals that somehow get through will never be able to affect the main DAOs.
Active Threshold (for token-based DAOs)
For NFT and token-based DAOs, the active_threshold setting determines what percentage of tokens need to be staked in order for the DAO to be active and able to pass proposals.
We highly recommend using active_thresholdwith token-based DAOs. This ensures that a significant number of tokens are staked with the DAO before actions can be taken.
In a recent attack, the $AQUA DAO had a very small number of tokens staked. Attackers were able to purchase the token on a DEX and stake them to take control of the DAO. An active_threshold would have prevented this attack.
Warning: setting active_threshold too high can result in a DAO that is unable to ever pass proposals. For example, an active_threshold of 99% would mean that 99% of token holders would have to stake to be able to pass a DAO proposal.
Setting Quorum
Quorum determines what proportion of voting weight must turn out for a proposal to pass.
Setting Quorum too high can result in your DAO being unable to pass proposals if you can’t rally your community to vote. For example, if you set Quorum to 100%, then 100% of DAO members will need to vote in order for a proposal to pass. For DAOs with a large number of members, it is highly unrealistic to get everyone to turn out for a single vote.
If Quorum is too low, a very small number of people can pass a proposal. While other DAO members will be able to vote against a malicious proposal, the danger is more for inactive and less engaged DAOs. If no one is paying attention, a small number of votes could ram a proposal through the governance process while other members aren’t paying attention.
Other Considerations
Beware of Social Engineering Attacks
Regardless of which DAO structure and settings you choose, all DAOs need to be wary of social engineering attacks. This is especially relevant for DAOs with a large number of participants.
When a proposal is submitted changing DAO settings, adding members, or minting or spending tokens, THINK CRITICALLY about it. Who is submitting the proposal? Could this proposal be used to take over the DAO?
During the $RED versus $BLUE #DAOGames, a seemingly benign proposal was submitted in RED DAO to establish a SubDAO with a significant treasury. This proposal recognized a SubDAO that was also a token-based DAO with the $RED token and no active_threshold. Unfortunately for RED DAO, this meant that someone could come in with very little $RED and stake it to control the funds in that SubDAO treasury. This exact scenario happened and a member transferred the 2 million $RED tokens to themselves which they used to give themselves over 20% voting power in RED DAO. While this was in the context of the game, it should be a lesson to anyone starting a token-based DAOs or voting on proposals to mint or transfer a large amount of tokens.
Permissions
DAO DAO provides useful tools for managing permissions within DAOs, namely SubDAOs and Authz support. In general, it is good practice to divide up the functionality of DAOs in ways that don’t put too much power into a particular team or SubDAO. For example, if a DAO wants to have open proposal submission to Mint NFTs, it is better to do this through a dedicated SubDAO rather than the main DAO so as to prevent potential social engineering attacks.
SubDAOs are full DAOs that are 100% under the control of their parent DAO. In other words, at any time the parent DAO may execute a proposal on behalf of the SubDAO, but not vice versa. As such they are useful for creating permission systems.
Authz is also a useful feature supported by the DAO DAO UI, it allows another account to perform a certain action on behalf of a DAO. Instead of giving an outside group voting power to doing something like claiming and staking, consider using Authz instead.
Voting Power Concentration
Voting power concentration in a DAO is a red flag. DAO DAO is working on UI and tools to allow users to quickly and easily determine who controls voting power and tokens within a DAO.
A high concentration of tokens means that those accounts can effectively control a DAO. While this isn’t always a bad thing, be sure to do research and be wary of scams.
Key management
Imagine a member of your DAO loses their keys or has their keys stolen by an attacker. What will the DAO do in this situation?
Voting to remove that member (in a Membership DAO) or burn or reclaim their membership tokens (in a token-based DAO) may be necessary, lest an attacker be able to vote as the person whose keys were lost. However, these proposals will only pass if the voting share remains to pass them!
As you put together your DAO, think: who would be the worst person (or people!) to lose their keys? What’s the worst (and we hate to even say it) plane crash that would remove enough DAO members such that your DAO would become locked, inoperable due to insufficient voting share to pass proposals? Keep these sorts of worst-case outcomes in your mind. Bad things happen, but with sufficient decentralization (i.e., with the voting share spread among enough people who don’t all hang out together in person), the risk of key loss can be reduced to a reasonable level.
Similarly, think through what you will need to do in the case that someone loses access to their wallet or has their seed phrase compromised. Consider creating a dummy member, and drill recovering their voting share and re-assigning it to another wallet.
Legal Wrappers
Depending on where you live and the type of DAO or business you are operating, you may wish to explore legal wrappers.
As we are not lawyers, we cannot advise you on what structure is best for your use case. That said, we do think legal wrappers make sense for many types of DAOs, and we encourage DAO creators to research them.
We highly recommend consulting lawyers in your jurisdiction to figure out how best to protect yourself as well as the members of your DAO.
