The First Principles of Crypto Governance gives us a new perspective to think about crypto governance. But that doesn't mean it's all pessimism and unsolved problems. the DAOrayaki community has been focusing on DAO governance challenges for a long time, and we've found that the industry as a whole is starting to focus on scientific governance or on more specific governance issues. You can learn about governance attacks and solutions in crypto governance by checking out previous articles on daorayaki.org. In this post we will continue to think along crypto governance principles and how to rebuild the governance premium for DAOs.

Earlier this week, Luca Prosperi, fresh from the frustrating governance struggles of MakerDAO, laid out the governance trilemma in his recent blog post "First Principles of Crypto Governance". He argues that, basically, today's crypto protocols can achieve at most two of these goals.

A) Decentralization

b) solving complex problems

c) Incentives for good behavior

Luca Prosperi gives a few interesting points.

Success breeds complexity The DeFi protocol was originally designed to deal with simple problems encountered by small communities. As the community continues to grow in size, the problems it faces become more and more complex and must require increasingly more specialized knowledge to solve.

Complexity breeds asymmetric incentives As the community grows rapidly and the founders' wisdom rapidly dilutes toward a cryptographic mean, the complexity of the problems they face accelerates rapidly. At the same time, the ratio of complexity to average competence begins to appear as a death spiral

Asymmetric incentives breed bad behavior Asymmetric incentives breed bad behavior. In the face of growing rewards in the industry, fewer experts are engaging in good behavior and more are engaging in bad behavior. While many experts ignore bad incentives out of concern for long-term reputational gain or altruism, it is inevitable that protocol experts will engage in "malicious behavior" (engage in value destruction), meaning that a significant portion of that value can be pocketed by malicious actors.

In large crypto communities, the occurrence of "bad behavior" is unique and catastrophic. The softwareization of money, loss of community confidence, and lack of accountability for bad actors causes large crypto communities to disintegrate at "light speed" in the face of complex, escalating problems.

The full text of the First Principles of Crypto Governance can be found at the end of this article. But note that this doesn't mean it's all doom and gloom and unsolved problems

In terms of "focus on one thing and do it well", the role of simple protocols has withstood the volatility at TradFi. (Curve's stablecoin trading market, or the Aave/Compound hypercurrency market)

However, in the face of more complex problems, governance often breaks down, inspiring extreme malicious behavior by founders and others with extensive asymmetric knowledge. For example, Do Kwon extracted billions of dollars from the Terra protocol, and Rune Christensen attempted to extract $500 million from the DAI protocol through Monetalis, a related party controlled by Rune and cronies. In the former case, it would have ended disastrously (and the extent of that disastrousness may have been much worse than Kwon himself expected). In the latter case, the "focused" vigilance of Luca Prosperi and a few other talented individuals saved MKR holders from a potential write-down of tens of millions of dollars in debt and a fate that could have happened to more than 99% of the agreement: a death spiral of loss of confidence leading to the liquidation or elimination of the agreement.

In addition, Luca missed the fifth source of incentive asymmetry that leads to bad behavior: the Dead weight effect of DAOs on core contributors.

Solving the Complexity Problem: TradFi vs. Crypto The face value of TradFi shares is much lower than the governance value received by crypto token holders.

Take Google for example. What exactly is the value of each share owned by a Google shareholder, and what is its value ......?

Owning shares of GOOGL does not entitle one to any cash flow or dividends from Google. This is because there is no governance (Larry Page and Sergey Brin have majority control through special founder shares). If Brin and Page spend billions of dollars on a high-priced acquisition or anything else with the most ephemeral relationship to the underlying business, you have no recourse whatsoever.

A GOOGL share is essentially an NFT, indicating that Google management will use your money responsibly and perhaps transfer some income back to you from their cash machine at some point in the future. While your rights to any underlying assets or cash flows are minimal at best, GOOGL shares are indeed worth $1.5 trillion in market value. Why is this?

A similar argument can be made for American Depositary Receipts (ADRs), which are claims by domestic shareholders on the earnings of companies in hostile countries, and which are highly valued by overseas investors. Why is this?

Cryptocurrencies lack incentives In the case of GOOGL, employees are paid in GOOGL stock. brin, Page and senior management are also granted GOOGL stock options. Outside investors know Page and Brin need to keep their employees happy to run a successful business. They also may have believed that if Brin and Page did something particularly heinous, the Google board could become a hostile entity, severely undermining the founders' ability to run the company.

The above scenario this does not exist in today's DAO - the incentives are aligned among all major stakeholders. the stakeholders of GOOGL (shareholders, senior management and employees) are all aligned through the NFT and protected by a board that has never had to contend with Google management.

In 99% of DAOs, alignment of stakeholder interests typically disappears after the initial high growth phase. The protocol explodes, tokens are generously awarded to founding members, and many founders move on to other things. The remaining founders soon find they are working for many absent token holders.

In a few DAOs, key producers had left and simplicity could save the day. curve never put the different parameters of its famous "xyk" liquidity model to a vote. It simply presented a complex idea in a yes/no vote, and the model has worked in countless edge cases and has remained as the Curve DAO was originally intended. As other stablecoin markets came and went, Curve flourished and remains the king of the stablecoin market to this day.

In another of the very few DAOs, the centralized/personal checks and balances insulate the protocol from the centralized flaws exploited by the central point of failure and the collusion of the "founder-level" self-weight (Maker). However, by definition, "white knights" are too rare to rely on.

In the vast majority of DAOs, because checks and balances fail, the founders will eventually abandon the holders at some point, and employees will either continue or leave as holders themselves, and when all the key producers leave, the protocol will inevitably die.

So the pressing question becomes: are the founders of the 99% of DAOs that fail just the bad guys? Or did an incentive drift in the incentive structure cause them to abandon their DAO?

I strongly suspect the latter. Most DAOs are not proof-of-work organizations, and they rapidly accumulate self-weight - "contributors" who contribute a minimum to token allocation. It is difficult for remote work organizations to regulate this self-weight. By the time "deadweight" was noticed as a serious problem, it was too late.

After a period of rapid growth, the major producers looked around and realized that their work was being ridiculed by more weak contributors. Their altruistic capitalism was despised and incentives were no longer aligned with the community. This is where the accelerated internal destruction begins.

This problem may be mitigated by a slowdown in the growth of the community at scale, which gives all key stakeholders more time to reassess the pace of other key stakeholders' contributions, reinvigorate their faith in the fundamental fairness of the system, and continue their efforts. However, encryption and slow growth never go well together.

Regulatory Self-Reliance: The Biggest Challenge for DAOs When you compare companies and DAOs, the company hierarchy is quite effective at organizing all levels to enforce a continuous contribution cadence - another key example of stakeholder incentive alignment.

DAOs fail to achieve this goal. I fear the next phase of DAO development will be a path of corporatization: more HR software, more github commit logging and managed stories, all in the name of more effective management. The same goes for the few consistent producers of cryptocurrencies, in order to move stakeholder incentives further toward creating sustainable value for all token holders.

Full text of first principles of crypto governance

Last month Dirt Roads discussed MakerDAO's recent governance cycle. The report concludes with three open questions:

Based on existing governance mechanisms and token allocations, do we trust Maker's resistance to censorship? Do we believe Maker is a truly decentralized organization when a coherent group of people has enough votes to overrule so many institutional participants? Do we believe that Maker is structured to effectively handle use cases (and borrowers) that introduce a minimum level of complexity and opacity? These three questions can be boiled down to one: can the dominant governance framework for crypto protocols incentivize philanthropic behavior while handling complex tasks? The answer to this question, in my opinion, is no.

In Maker's case, as in many other crypto projects, governance tasks are uniformly assigned to holders of governance tokens ($MKR). More generally, holders of $MKR can vote on changes to the protocol - anyone can submit proposals. These proposals will be voted on according to a streamlined process.

Interestingly, the architects of the Maker governance framework were aware of the risk of malicious governance attacks, and to defend against such attacks, they constructed a governance security model that has the ability to delay the implementation of a particular proposal. This allows $MKR holders to gather enough consensus to call for an emergency shutdown, orderly unwinding the protocol itself in crisis.

The Optimistic Governance school, pioneered by Aragon and Optimism, channels this concept by assuming that all proposals are voted on unless challenged in court within a certain time frame. These efforts are commendable and remain valid in an environment where the outcome of every decision is obvious, measurable in advance, or has immediate impact. As DAO ambitions expand beyond the boundaries of solidification and clear definition, and toward complex tasks such as enhancing real-world credit through complex structures, it becomes clear that even an Optimism window of challenge is insufficient to defend against malicious attacks.

Irreducibility issues → Initially, most on-chain governance had to face very simple decisions: whether to whitelist ERC-20 tokens, add or subtract parameters, activate or deactivate oracle feeds. governance mechanisms evolved to meet this need, and blockchain technology allowed for a more granular separation of tasks. But ambition is a human trait, and protocols are gradually scaling to complex use cases rather than an ordered collection of atomic decisions:should we start financing real-world credit, how aggressive should our money management strategy be, how should we offset the impact of our liquidity pledge service on native chain stability, what role do we play in a complex DeFi stack, and so on. This scaling creates irreducibility issues that engineers may not yet fully understand. In modeling every possible case for decision making purposes, it is structurally impossible to stay extended. We need to learn to coexist with extreme cases that have unanticipated impacts. The impact of irreducibility can be catastrophic.

Two possible solutions → Existing solutions go in two directions: (i) making governance mechanisms better suited to deal with unmeasured uncertainty and conflicts of interest, and (ii) reducing uncertainty through atomization of tasks and responsibilities. While the second approach (decomposition, simplification, and solidification) is the goal we should pursue in the long run, uncertainty cannot be fundamentally eliminated, so developing decision frameworks that are more resistant to uncertainty is something we cannot avoid.

The rest of this article will be devoted to an initial formal discussion of the problem. When things get complicated, there is value in developing a simplified version of reality. The idea is to use such a framework to understand the key factors at play, and to try to design a mechanism that mitigates pernicious influences while encouraging benign ones.

The Game of Optimistic Governance Game theory and economic behavior theory, pioneered by John Von Neumann and Oskar Morgenstern and based on the mathematical rigor of modern economics, have been abused by the crypto field. These games are not game theory, but absurd mathematics. The set of equations described below is intended to provide what is happening, not the symbolic tools needed for a solution.

An Optimistic Governance Game (OGG) is first constructed. In the OGG, all those involved in the governance of the protocol are good people who intend to maximize the economic value generated by the protocol itself - an important specification. In this simplified game configuration, we assume that the participants/voters receive a proposal from outside and are able to adopt or reject it based on an arbitrary governance mechanism (i.e., voting function).

▵ The voting function V for proposal i inputs all the voting vectors of N participants. In the OGG, we can assume that each participant has one vote. The output of the voting function is either 0 (ding) or 1 (pass).

There are only two types of proposals:bona fide proposals and malicious proposals. A bona fide proposal has a positive effect on all voters and therefore on the protocol, while a malicious proposal gives a significant benefit to the proposer (located outside the set of voters), but at the cost of a potentially broken protocol.

The expected cost of the agreement being broken depends on the specified probability function and the value each voter assigns to the agreement V. For simplicity, we can assume that all well-intentioned proposals have the same payoff and that all voters assign the same value to the agreement - and that this value is much higher than the potential value of a single passed proposal. Since all voters have similar preferences and they are advocates outside the governing set, we can generalize the above function in terms of the agreement.

Unsurprisingly, we cannot say in advance whether a proposal is well-intentioned or malicious. We need to consider probabilities. We can rewrite the expected payoff function for a generalized proposal as follows.

The pernicious effects of a malicious proposal only become apparent after an indeterminate time delay. In other words, if the protocol is still intact by the end of the OGG, i.e., by time T, the best guess is that the governance did not pass the malicious proposal.

Finally, the protocol (i.e., the sum of all voters) is designed to maximize the following expected value function in the face of a vote for or against the broad first proposal. This objective is a hypothesis of the OGG considering that voters could theoretically be assigned very different objective functions.

Given the very simple structure of the OGG, most of the results are trivial. However, they are worth reflecting on :

Initiators have an incentive to go big - since a broken agreement would be devastating to the protocol, initiators have an incentive to make proposals to voters that also deliver high immediate benefits People's primary incentive is to look good → higher (perceived) density of goodwill simplifies voters' decisions Illiquidity has a premium → delayed proposals, or better proposals with late outcomes, are more easily digested by the decision making process Value maximization is not survival maximization → strategies that are expected to maximize value may lead to a different optimal decision set than the agreed survival maximization Realistic Governance Games Reality, especially the reality of DAO, is much more complex than our OGG. For the sake of discussion, I would like to focus on a few key differences:

Voters can also be Initiators None: Whether the proposal is bona fide or malicious, there is a partial overlap between voters and initiators, so we will use the term participants, which includes both voters and initiators. Malicious proposals are highly beneficial to their initiators: the private (non-common) benefits of a malicious proposal may significantly outweigh the private impact of a broken agreement on its initiators Private and protocol perspectives are different: the private payoff function of an individual voter/initiator is very different from the payoff function of the protocol as a whole due to mismatches in diversity and investment periods In the Realistic Governance Game (RGG), we can rewrite the objective function as follows (now distinguishing between good and bad initiatives). We assume that there is no cost for either proposing or voting.

Good participant: a bona fide initiative with an objective function roughly similar to the generalized objective function in the OGG case.

However, as we have already implied, the damage to individual participants in RGGs is likely to be less severe given that (i) the investment period for individual participants in RGGs is likely to be different from that of the protocol - i.e., individual participants may still sell their voting rights and leave; and (ii) given damage sharing and portfolio diversification. These differences contribute to the risk tolerance of good participants; participants have an incentive to "take their chances" and make offers that are not negligibly dangerous to the agreement.

Bad participants: However, the case of bad participants is more interesting. A bad participant is one who consciously puts forward a malicious proposal, enjoys the private benefits of such a proposal, and consciously votes for it.

▵ A bad actor benefits not only from private expropriation but also from his exhaustive knowledge of the proposal risk - in this case, this is described by separating the error term ε from the underlying expectation β (there are good reasons to think that β is 0)

The incentive to deviate is much higher for a bad participant: (i) only potential losses (and not special gains) will be shared, and (ii) losses can be more easily avoided due to the higher visibility of malignant outcomes. Bad participants have a huge incentive to make malicious offers and lobby good participants to minimize the perceived damage of the agreement. In other words, everyone has a tremendous incentive to deviate and become a bad participant.

▵ We can simplify the equation to 0. The probability that the error term ε exceeds the threshold can be arbitrarily small, depending on the risk aversion of the participant

In this simplified representation, the motivation to deviate is positively correlated with the following factors:

Expropriability → the relative size of the private deviation benefit Reciprocity → community size, or total number of participants Uncertainty → perceived risk of encountering a malicious proposal Urgency → the probability of malicious effects Risk aversion → surprisingly, risk-averse motivation elicits a bad participant However, the system is not immutable. This means that more malicious actors will be attracted to large and uncertain communities. This may create a death spiral for communities without proper checks and balances.

Explore further

Both OGG and RGG are extremely simplified and bizarre mathematics. Nonetheless, they are a good start to force us to look beyond rhetorical personalization when designing coordination mechanisms.

Some protocols, including Maker, remain faithful to the "tyranny of the structureless" - h/t @Dermot_Oryordan, which is a defense of the purist approach in which centers of interest (token holders, borrowers $DAI holders, core unit members, delegates, minorities, agreements) formalization is resisted due to the benefits of decentralization. However, as Jo Freeman mentions in her article.

"Contrary to what we would like to believe, there are no unstructured groups. Any group of people, of whatever nature, coming together for any purpose at any time, will inevitably structure itself in some way. [...]

This means that the effort to create a structureless group is just as useful as the goal of an "objective" new story, a "value-free" social science, or a "free" economy, and just as deceptive. The idea becomes a smokescreen that allows the powerful or lucky to establish unquestionable hegemony over others."

There are also good examples of governance in cryptocurrencies. on June 10, @skozin published a proposal on Lido's forum to create a dual governance mechanism for liquidity pledge protocols LDO+stETH. Recognizing that the proxy problem exists and that the voters ($LDO holders) are not the ones suffering the damage - mainly the pledgees - the proponent proposes a set of ideas consistent with the framework we outlined in RGG above.

Reduce governance scope through entrenchment → reduce uncertainty Delaying the implementation of voted proposals → reducing urgency Introduce a veto/anti-veto system for $stETH → less reciprocity Implement (partial) vicious resource burning → less expropriability The proposal explicitly acknowledges that it is not possible to identify all potential vectors of attack or extreme cases in advance, and turns to an approach based on first principles that, while acknowledging the existence of a conflict of interest, would provoke an adversarial (and costly) governance debate. I recommend that anyone involved in designing governance principles review the proposal thoroughly. It is something that deserves a symbolic representation.

A dual system of governance is not the only viable path. Worth mentioning for deeper analysis are Pocket Network's stake-to-work mechanism, DXDdao's reputation-based voting, reputation and participation decay mechanism, and Ether's EIP-5114 soul binding. The space for research and design of governance mechanisms for uncertainty-intensive environments is as vast and fascinating as the related fields. We really cannot build anything complex on top of the fragile foundational layers of human interaction.

The First Principles of Crypto Governance gives us a new perspective to think about crypto governance. But that doesn't mean it's all pessimism and unsolved problems. the DAOrayaki community has been focusing on DAO governance challenges for a long time, and we've found that the industry as a whole is starting to focus on scientific governance or on more specific governance issues. You can learn about governance attacks and solutions in crypto governance by checking out previous articles on daorayaki.org. In this post we will continue to think along crypto governance principles and how to rebuild the governance premium for DAOs.

Earlier this week, Luca Prosperi, fresh from the frustrating governance struggles of MakerDAO, laid out the governance trilemma in his recent blog post "First Principles of Crypto Governance". He argues that, basically, today's crypto protocols can achieve at most two of these goals.

A) Decentralization

b) solving complex problems

c) Incentives for good behavior

Luca Prosperi gives a few interesting points.

Success breeds complexity The DeFi protocol was originally designed to deal with simple problems encountered by small communities. As the community continues to grow in size, the problems it faces become more and more complex and must require increasingly more specialized knowledge to solve.

Complexity breeds asymmetric incentives As the community grows rapidly and the founders' wisdom rapidly dilutes toward a cryptographic mean, the complexity of the problems they face accelerates rapidly. At the same time, the ratio of complexity to average competence begins to appear as a death spiral

Asymmetric incentives breed bad behavior Asymmetric incentives breed bad behavior. In the face of growing rewards in the industry, fewer experts are engaging in good behavior and more are engaging in bad behavior. While many experts ignore bad incentives out of concern for long-term reputational gain or altruism, it is inevitable that protocol experts will engage in "malicious behavior" (engage in value destruction), meaning that a significant portion of that value can be pocketed by malicious actors.

In large crypto communities, the occurrence of "bad behavior" is unique and catastrophic. The softwareization of money, loss of community confidence, and lack of accountability for bad actors causes large crypto communities to disintegrate at "light speed" in the face of complex, escalating problems.

The full text of the First Principles of Crypto Governance can be found at the end of this article. But note that this doesn't mean it's all doom and gloom and unsolved problems

In terms of "focus on one thing and do it well", the role of simple protocols has withstood the volatility at TradFi. (Curve's stablecoin trading market, or the Aave/Compound hypercurrency market)

However, in the face of more complex problems, governance often breaks down, inspiring extreme malicious behavior by founders and others with extensive asymmetric knowledge. For example, Do Kwon extracted billions of dollars from the Terra protocol, and Rune Christensen attempted to extract $500 million from the DAI protocol through Monetalis, a related party controlled by Rune and cronies. In the former case, it would have ended disastrously (and the extent of that disastrousness may have been much worse than Kwon himself expected). In the latter case, the "focused" vigilance of Luca Prosperi and a few other talented individuals saved MKR holders from a potential write-down of tens of millions of dollars in debt and a fate that could have happened to more than 99% of the agreement: a death spiral of loss of confidence leading to the liquidation or elimination of the agreement.

In addition, Luca missed the fifth source of incentive asymmetry that leads to bad behavior: the Dead weight effect of DAOs on core contributors.

Solving the Complexity Problem: TradFi vs. Crypto The face value of TradFi shares is much lower than the governance value received by crypto token holders.

Take Google for example. What exactly is the value of each share owned by a Google shareholder, and what is its value ......?

Owning shares of GOOGL does not entitle one to any cash flow or dividends from Google. This is because there is no governance (Larry Page and Sergey Brin have majority control through special founder shares). If Brin and Page spend billions of dollars on a high-priced acquisition or anything else with the most ephemeral relationship to the underlying business, you have no recourse whatsoever.

A GOOGL share is essentially an NFT, indicating that Google management will use your money responsibly and perhaps transfer some income back to you from their cash machine at some point in the future. While your rights to any underlying assets or cash flows are minimal at best, GOOGL shares are indeed worth $1.5 trillion in market value. Why is this?

A similar argument can be made for American Depositary Receipts (ADRs), which are claims by domestic shareholders on the earnings of companies in hostile countries, and which are highly valued by overseas investors. Why is this?

Cryptocurrencies lack incentives In the case of GOOGL, employees are paid in GOOGL stock. brin, Page and senior management are also granted GOOGL stock options. Outside investors know Page and Brin need to keep their employees happy to run a successful business. They also may have believed that if Brin and Page did something particularly heinous, the Google board could become a hostile entity, severely undermining the founders' ability to run the company.

The above scenario this does not exist in today's DAO - the incentives are aligned among all major stakeholders. the stakeholders of GOOGL (shareholders, senior management and employees) are all aligned through the NFT and protected by a board that has never had to contend with Google management.

In 99% of DAOs, alignment of stakeholder interests typically disappears after the initial high growth phase. The protocol explodes, tokens are generously awarded to founding members, and many founders move on to other things. The remaining founders soon find they are working for many absent token holders.

In a few DAOs, key producers had left and simplicity could save the day. curve never put the different parameters of its famous "xyk" liquidity model to a vote. It simply presented a complex idea in a yes/no vote, and the model has worked in countless edge cases and has remained as the Curve DAO was originally intended. As other stablecoin markets came and went, Curve flourished and remains the king of the stablecoin market to this day.

In another of the very few DAOs, the centralized/personal checks and balances insulate the protocol from the centralized flaws exploited by the central point of failure and the collusion of the "founder-level" self-weight (Maker). However, by definition, "white knights" are too rare to rely on.

In the vast majority of DAOs, because checks and balances fail, the founders will eventually abandon the holders at some point, and employees will either continue or leave as holders themselves, and when all the key producers leave, the protocol will inevitably die.

So the pressing question becomes: are the founders of the 99% of DAOs that fail just the bad guys? Or did an incentive drift in the incentive structure cause them to abandon their DAO?

I strongly suspect the latter. Most DAOs are not proof-of-work organizations, and they rapidly accumulate self-weight - "contributors" who contribute a minimum to token allocation. It is difficult for remote work organizations to regulate this self-weight. By the time "deadweight" was noticed as a serious problem, it was too late.

After a period of rapid growth, the major producers looked around and realized that their work was being ridiculed by more weak contributors. Their altruistic capitalism was despised and incentives were no longer aligned with the community. This is where the accelerated internal destruction begins.

This problem may be mitigated by a slowdown in the growth of the community at scale, which gives all key stakeholders more time to reassess the pace of other key stakeholders' contributions, reinvigorate their faith in the fundamental fairness of the system, and continue their efforts. However, encryption and slow growth never go well together.

Regulatory Self-Reliance: The Biggest Challenge for DAOs When you compare companies and DAOs, the company hierarchy is quite effective at organizing all levels to enforce a continuous contribution cadence - another key example of stakeholder incentive alignment.

DAOs fail to achieve this goal. I fear the next phase of DAO development will be a path of corporatization: more HR software, more github commit logging and managed stories, all in the name of more effective management. The same goes for the few consistent producers of cryptocurrencies, in order to move stakeholder incentives further toward creating sustainable value for all token holders.

Full text of first principles of crypto governance

Last month Dirt Roads discussed MakerDAO's recent governance cycle. The report concludes with three open questions:

Based on existing governance mechanisms and token allocations, do we trust Maker's resistance to censorship? Do we believe Maker is a truly decentralized organization when a coherent group of people has enough votes to overrule so many institutional participants? Do we believe that Maker is structured to effectively handle use cases (and borrowers) that introduce a minimum level of complexity and opacity? These three questions can be boiled down to one: can the dominant governance framework for crypto protocols incentivize philanthropic behavior while handling complex tasks? The answer to this question, in my opinion, is no.

In Maker's case, as in many other crypto projects, governance tasks are uniformly assigned to holders of governance tokens ($MKR). More generally, holders of $MKR can vote on changes to the protocol - anyone can submit proposals. These proposals will be voted on according to a streamlined process.

Interestingly, the architects of the Maker governance framework were aware of the risk of malicious governance attacks, and to defend against such attacks, they constructed a governance security model that has the ability to delay the implementation of a particular proposal. This allows $MKR holders to gather enough consensus to call for an emergency shutdown, orderly unwinding the protocol itself in crisis.

The Optimistic Governance school, pioneered by Aragon and Optimism, channels this concept by assuming that all proposals are voted on unless challenged in court within a certain time frame. These efforts are commendable and remain valid in an environment where the outcome of every decision is obvious, measurable in advance, or has immediate impact. As DAO ambitions expand beyond the boundaries of solidification and clear definition, and toward complex tasks such as enhancing real-world credit through complex structures, it becomes clear that even an Optimism window of challenge is insufficient to defend against malicious attacks.

Irreducibility issues → Initially, most on-chain governance had to face very simple decisions: whether to whitelist ERC-20 tokens, add or subtract parameters, activate or deactivate oracle feeds. governance mechanisms evolved to meet this need, and blockchain technology allowed for a more granular separation of tasks. But ambition is a human trait, and protocols are gradually scaling to complex use cases rather than an ordered collection of atomic decisions:should we start financing real-world credit, how aggressive should our money management strategy be, how should we offset the impact of our liquidity pledge service on native chain stability, what role do we play in a complex DeFi stack, and so on. This scaling creates irreducibility issues that engineers may not yet fully understand. In modeling every possible case for decision making purposes, it is structurally impossible to stay extended. We need to learn to coexist with extreme cases that have unanticipated impacts. The impact of irreducibility can be catastrophic.

Two possible solutions → Existing solutions go in two directions: (i) making governance mechanisms better suited to deal with unmeasured uncertainty and conflicts of interest, and (ii) reducing uncertainty through atomization of tasks and responsibilities. While the second approach (decomposition, simplification, and solidification) is the goal we should pursue in the long run, uncertainty cannot be fundamentally eliminated, so developing decision frameworks that are more resistant to uncertainty is something we cannot avoid.

The rest of this article will be devoted to an initial formal discussion of the problem. When things get complicated, there is value in developing a simplified version of reality. The idea is to use such a framework to understand the key factors at play, and to try to design a mechanism that mitigates pernicious influences while encouraging benign ones.

The Game of Optimistic Governance Game theory and economic behavior theory, pioneered by John Von Neumann and Oskar Morgenstern and based on the mathematical rigor of modern economics, have been abused by the crypto field. These games are not game theory, but absurd mathematics. The set of equations described below is intended to provide what is happening, not the symbolic tools needed for a solution.

An Optimistic Governance Game (OGG) is first constructed. In the OGG, all those involved in the governance of the protocol are good people who intend to maximize the economic value generated by the protocol itself - an important specification. In this simplified game configuration, we assume that the participants/voters receive a proposal from outside and are able to adopt or reject it based on an arbitrary governance mechanism (i.e., voting function).

▵ The voting function V for proposal i inputs all the voting vectors of N participants. In the OGG, we can assume that each participant has one vote. The output of the voting function is either 0 (ding) or 1 (pass).

There are only two types of proposals:bona fide proposals and malicious proposals. A bona fide proposal has a positive effect on all voters and therefore on the protocol, while a malicious proposal gives a significant benefit to the proposer (located outside the set of voters), but at the cost of a potentially broken protocol.

The expected cost of the agreement being broken depends on the specified probability function and the value each voter assigns to the agreement V. For simplicity, we can assume that all well-intentioned proposals have the same payoff and that all voters assign the same value to the agreement - and that this value is much higher than the potential value of a single passed proposal. Since all voters have similar preferences and they are advocates outside the governing set, we can generalize the above function in terms of the agreement.

Unsurprisingly, we cannot say in advance whether a proposal is well-intentioned or malicious. We need to consider probabilities. We can rewrite the expected payoff function for a generalized proposal as follows.

The pernicious effects of a malicious proposal only become apparent after an indeterminate time delay. In other words, if the protocol is still intact by the end of the OGG, i.e., by time T, the best guess is that the governance did not pass the malicious proposal.

Finally, the protocol (i.e., the sum of all voters) is designed to maximize the following expected value function in the face of a vote for or against the broad first proposal. This objective is a hypothesis of the OGG considering that voters could theoretically be assigned very different objective functions.

Given the very simple structure of the OGG, most of the results are trivial. However, they are worth reflecting on :

Initiators have an incentive to go big - since a broken agreement would be devastating to the protocol, initiators have an incentive to make proposals to voters that also deliver high immediate benefits People's primary incentive is to look good → higher (perceived) density of goodwill simplifies voters' decisions Illiquidity has a premium → delayed proposals, or better proposals with late outcomes, are more easily digested by the decision making process Value maximization is not survival maximization → strategies that are expected to maximize value may lead to a different optimal decision set than the agreed survival maximization Realistic Governance Games Reality, especially the reality of DAO, is much more complex than our OGG. For the sake of discussion, I would like to focus on a few key differences:

Voters can also be Initiators None: Whether the proposal is bona fide or malicious, there is a partial overlap between voters and initiators, so we will use the term participants, which includes both voters and initiators. Malicious proposals are highly beneficial to their initiators: the private (non-common) benefits of a malicious proposal may significantly outweigh the private impact of a broken agreement on its initiators Private and protocol perspectives are different: the private payoff function of an individual voter/initiator is very different from the payoff function of the protocol as a whole due to mismatches in diversity and investment periods In the Realistic Governance Game (RGG), we can rewrite the objective function as follows (now distinguishing between good and bad initiatives). We assume that there is no cost for either proposing or voting.

Good participant: a bona fide initiative with an objective function roughly similar to the generalized objective function in the OGG case.

However, as we have already implied, the damage to individual participants in RGGs is likely to be less severe given that (i) the investment period for individual participants in RGGs is likely to be different from that of the protocol - i.e., individual participants may still sell their voting rights and leave; and (ii) given damage sharing and portfolio diversification. These differences contribute to the risk tolerance of good participants; participants have an incentive to "take their chances" and make offers that are not negligibly dangerous to the agreement.

Bad participants: However, the case of bad participants is more interesting. A bad participant is one who consciously puts forward a malicious proposal, enjoys the private benefits of such a proposal, and consciously votes for it.

▵ A bad actor benefits not only from private expropriation but also from his exhaustive knowledge of the proposal risk - in this case, this is described by separating the error term ε from the underlying expectation β (there are good reasons to think that β is 0)

The incentive to deviate is much higher for a bad participant: (i) only potential losses (and not special gains) will be shared, and (ii) losses can be more easily avoided due to the higher visibility of malignant outcomes. Bad participants have a huge incentive to make malicious offers and lobby good participants to minimize the perceived damage of the agreement. In other words, everyone has a tremendous incentive to deviate and become a bad participant.

▵ We can simplify the equation to 0. The probability that the error term ε exceeds the threshold can be arbitrarily small, depending on the risk aversion of the participant

In this simplified representation, the motivation to deviate is positively correlated with the following factors:

Expropriability → the relative size of the private deviation benefit Reciprocity → community size, or total number of participants Uncertainty → perceived risk of encountering a malicious proposal Urgency → the probability of malicious effects Risk aversion → surprisingly, risk-averse motivation elicits a bad participant However, the system is not immutable. This means that more malicious actors will be attracted to large and uncertain communities. This may create a death spiral for communities without proper checks and balances.

Explore further

Both OGG and RGG are extremely simplified and bizarre mathematics. Nonetheless, they are a good start to force us to look beyond rhetorical personalization when designing coordination mechanisms.

Some protocols, including Maker, remain faithful to the "tyranny of the structureless" - h/t @Dermot_Oryordan, which is a defense of the purist approach in which centers of interest (token holders, borrowers $DAI holders, core unit members, delegates, minorities, agreements) formalization is resisted due to the benefits of decentralization. However, as Jo Freeman mentions in her article.

"Contrary to what we would like to believe, there are no unstructured groups. Any group of people, of whatever nature, coming together for any purpose at any time, will inevitably structure itself in some way. [...]

This means that the effort to create a structureless group is just as useful as the goal of an "objective" new story, a "value-free" social science, or a "free" economy, and just as deceptive. The idea becomes a smokescreen that allows the powerful or lucky to establish unquestionable hegemony over others."

There are also good examples of governance in cryptocurrencies. on June 10, @skozin published a proposal on Lido's forum to create a dual governance mechanism for liquidity pledge protocols LDO+stETH. Recognizing that the proxy problem exists and that the voters ($LDO holders) are not the ones suffering the damage - mainly the pledgees - the proponent proposes a set of ideas consistent with the framework we outlined in RGG above.

Reduce governance scope through entrenchment → reduce uncertainty Delaying the implementation of voted proposals → reducing urgency Introduce a veto/anti-veto system for $stETH → less reciprocity Implement (partial) vicious resource burning → less expropriability The proposal explicitly acknowledges that it is not possible to identify all potential vectors of attack or extreme cases in advance, and turns to an approach based on first principles that, while acknowledging the existence of a conflict of interest, would provoke an adversarial (and costly) governance debate. I recommend that anyone involved in designing governance principles review the proposal thoroughly. It is something that deserves a symbolic representation.

A dual system of governance is not the only viable path. Worth mentioning for deeper analysis are Pocket Network's stake-to-work mechanism, DXDdao's reputation-based voting, reputation and participation decay mechanism, and Ether's EIP-5114 soul binding. The space for research and design of governance mechanisms for uncertainty-intensive environments is as vast and fascinating as the related fields. We really cannot build anything complex on top of the fragile foundational layers of human interaction.