DeFi Governance Explained

Token voting, delegation, timelocks. How DeFi protocols make decisions on-chain.

Intermediate • 15 min read

🎯 What You'll Learn

Understand governance token mechanics
Learn about proposal and voting processes
Identify governance attack vectors
Design safer governance systems

📚 Prerequisites

Before this lesson, you should understand:

What Is DeFi? Complete Guide

Why Governance Matters

DeFi protocols need to evolve: fix bugs, add features, adjust parameters. But who decides?

Traditional: Company board decides
DeFi: Token holders vote

Governance tokens give holders the power to propose and vote on protocol changes.

What You’ll Learn

By the end of this lesson, you’ll understand:

Governance mechanics - Voting power, quorum, timelock
Common governance frameworks - Governor, Compound, Snapshot
Attack vectors - Vote buying, flash loans, plutocracy
Design patterns - Safer governance

The Foundation: Governance Token Basics

Concept	Meaning
Voting Power	Usually 1 token = 1 vote
Delegation	Assign your votes to someone else
Quorum	Minimum votes needed to pass
Timelock	Delay before execution
Proposal Threshold	Tokens needed to create proposal

The “Aha!” Moment

Here’s the governance paradox:

Low participation is both a feature and a risk. Most token holders don’t vote, which makes governance efficient (no gridlock). But it also means a small minority (or a flash loan) can pass malicious proposals if defenders are asleep.

Apathy is the enemy of secure governance.

Governance Process

Typical flow:

Proposal Created → Voting Period (3-7 days) → Timelock Queue (2+ days) → Executed

// OpenZeppelin Governor example
function propose(
    address[] memory targets,
    uint256[] memory values,
    bytes[] memory calldatas,
    string memory description
) public returns (uint256 proposalId) {
    require(getVotes(msg.sender) >= proposalThreshold(), "Below threshold");
    // Create proposal...
}

function castVote(uint256 proposalId, uint8 support) public {
    // 0 = Against, 1 = For, 2 = Abstain
}

Common Governance Frameworks

On-Chain: OpenZeppelin Governor

Full on-chain voting and execution
Immutable, transparent
Used by: Uniswap, Compound
Cost: High gas for voting

Off-Chain: Snapshot

Gasless voting (signatures only)
Execution requires multisig
Used by: Most smaller DAOs
Cost: Free to vote

Hybrid

Snapshot for signaling
On-chain for final execution
Best of both worlds

Governance Attacks

1. Flash Loan Voting

// Attacker
1. Flash loan 1M tokens
2. Delegate to self
3. Vote on malicious proposal
4. Return tokens in same tx

// Defense: Voting power checkpointed at block N-1
// (You must hold tokens BEFORE proposal)

2. Vote Buying

Bribe contract:
"Vote YES, I pay you $100 per token"

Dark forest:
Private deals to buy votes off-chain

3. Governance Sniping

Wait for low participation period (holidays)
Submit and pass proposal with minimal votes
Defenders don't notice until too late

Common Misconceptions

Myth: “Timelocks make governance secure.”
Reality: Timelocks only help if someone is watching. If no one notices a malicious proposal during the 2-day delay, it still executes.

Myth: “Token voting is democratic.”
Reality: 1 token = 1 vote means whales dominate. Top 10 holders often control >50% of votes. It’s plutocracy, not democracy.

Myth: “On-chain governance is always better.”
Reality: On-chain governance is transparent but expensive. For minor decisions, off-chain governance (with multisig execution) is more practical.

Security Best Practices

1. Timelock + Guardian

// Governor with emergency pause
modifier onlyGuardianOrTimelock() {
    require(
        msg.sender == guardian || msg.sender == timelock,
        "Unauthorized"
    );
    _;
}

function emergencyPause() external onlyGuardian {
    // Stop protocol immediately
    // Governance can unpause later
}

2. Quorum + Voter Thresholds

// Require meaningful participation
uint256 public proposalThreshold = 100000e18; // 100K tokens to propose
uint256 public quorumNumerator = 4;           // 4% of supply must vote

3. Voting Delay

// Delay between proposal and voting start
function votingDelay() public pure returns (uint256) {
    return 1 days;  // Time for community to discuss
}

Comparison Table

Feature	Governor	Compound	Snapshot
Chain	On-chain	On-chain	Off-chain
Cost	High	High	Free
Execution	Automatic	Automatic	Multisig
Flexibility	High	Medium	High

Practice Exercises

Exercise 1: Analyze a DAO

Pick a DAO (Uniswap, Aave, Compound)
Find:
1. Proposal threshold (tokens needed)
2. Voting period
3. Quorum
4. Top 5 holders' voting power %

Exercise 2: Attack Scenario

Total supply: 1M tokens
Quorum: 4% (40K tokens)
Proposal threshold: 10K tokens
Largest holder: 50K tokens

Can largest holder pass any proposal alone?
What's the defense?

Key Takeaways

Governance tokens = voting power - Usually 1:1
Timelocks protect against instant attacks - But need watchers
Low participation = vulnerability - Encourage delegation
Plutocracy is the default - Consider alternative designs

What’s Next?

🎯 Continue learning: DeFi Risk Management

🔬 Expert content: DAO Security

Now you understand how DeFi protocols make decisions. 🗳️

Questions about this lesson? Working on related infrastructure?

Let's discuss