Vitalik: Token voting should not be the only legitimate form of decentralized governance

Author: Vitalik Buterin

Compiled by: Hu Tao

An increasing number of projects are adopting decentralized governance mechanisms based on token voting, but at the same time, many issues have been exposed, such as small holders lacking the incentive to participate in governance, governance being limited to token holders while ignoring other roles, and the ease of bribery and malicious exploitation.

Vitalik Buterin, the founder of Ethereum, proposed in an article published today that token voting should not be the only legitimate form of decentralized governance and presented four corresponding solutions.

Over the past year, an important trend in the blockchain space has been the shift from a focus on DeFi to also considering decentralized governance (DeGov). While 2020 was widely hailed as the year of DeFi, since then, the complexity and capabilities of DeFi projects constituting this trend have been continuously growing, leading to an increasing interest in decentralized governance to address this complexity. There are many examples within Ethereum, with YFI, Compound, Synthetix, Uniswap, Gitcoin, and others already launching or even beginning to use some form of DAO.

It is undeniable that some form of decentralized governance is becoming increasingly popular, and there are significant reasons for this interest. However, it is also important to understand the risks associated with such plans, as the malicious takeover of Steem and the subsequent massive outflow to Hive clearly illustrate this.

In some cases, decentralized governance is both necessary and dangerous, and I will outline the reasons in this article. How can we gain the benefits of DeGov while minimizing risks? I will argue that a key part of the answer is that we need to move beyond the existing forms of token voting.

1. DeGov is Necessary

Since the release of the "Declaration of the Independence of Cyberspace" in 1996, there has been a key unresolved contradiction within the so-called cypherpunk ideology. On one hand, cypherpunk values are all about minimizing coercion through the use of cryptography and maximizing the efficiency and coverage of the then-mainly non-coercive coordination mechanisms: private property and markets.

On the other hand, the economic logic of private property and markets is optimized for activities that can be "disaggregated" into repeated one-on-one interactions, while the information circles that produce and consume art, documents, science, and code through irreducible one-to-many interactions are exactly the opposite.

This environment presents two inherent key problems that need to be addressed:

• Funding public goods: How to fund projects that are valuable to a broad and non-selective audience within the community (e.g., Layer 1 and Layer 2 protocol research, client development, documentation…) but typically lack a business model?

• Protocol maintenance and upgrades: How to upgrade protocols, regularly maintain and adjust the long-term unstable parts of the protocol (e.g., security asset lists, price oracle sources, multi-party computation key holders), and reach consensus?

Early blockchain projects largely ignored these two challenges, pretending that the only important public good was network security, which could be achieved through a permanently fixed single algorithm and paid for with fixed proof-of-work rewards.

This situation in funding was initially possible because Bitcoin's price experienced extreme surges from 2010 to 2013, followed by the ICO boom from 2014 to 2017, along with the second cryptocurrency bubble that occurred during the same period, all of which made the ecosystem wealthy enough to temporarily mask the inefficiencies of large-scale markets.

Long-term governance of public resources was also similarly neglected: Bitcoin took an extremely minimalistic path, focusing on providing a fixed supply currency and ensuring support for second-layer payment systems like the Lightning Network. Ethereum continued to develop harmoniously overall, as its previously existing roadmap had strong legitimacy, and there were no complex application layer projects that required more.

But now, this luck is increasingly running out, and the challenges of coordinating protocol maintenance and upgrades, as well as funding documentation and research, have come to the forefront while avoiding centralization risks.

2. DeGov Needs to Fund Public Goods

It is necessary to take a step back and look at the absurdity of the current situation. The daily mining issuance reward from Ethereum is about 13,500 ETH, which is approximately 40 million dollars per day. Transaction fees are similarly high, with the non-EIP-1559 burning portion still around 1,500 ETH (approximately 4.5 million dollars) per day. Therefore, billions of dollars are spent annually on network security.

So, what is the budget of the Ethereum Foundation? About 30 to 60 million dollars per year. There are non-Ethereum Foundation participants (like Consensys) contributing to development, but their scale is not large. The situation is similar for Bitcoin, where funding for non-security public goods may be even less.

This is the situation in the chart:

In the Ethereum ecosystem, this disparity can be shown to be insignificant. Tens of millions of dollars "suffice" for the necessary research and development, and adding more funding does not necessarily improve the situation, so establishing developer funding within the protocol poses risks that outweigh the benefits for platform credibility and neutrality. However, in many smaller ecosystems, whether within Ethereum or completely independent blockchains like BCH and Zcash, the same arguments are brewing, where imbalances can make a significant difference at these smaller scales.

Now, entering the DAO space. Projects launched as pure DAOs from day one can achieve a combination of two attributes that were previously impossible to combine: (i) ample developer funding, and (ii) reliable funding neutrality (the coveted "fair distribution").

Of course, it is difficult to achieve completely fair distribution; the unfairness brought about by information asymmetry is often worse than that caused by public pre-mining (consider that by the end of 2010, a quarter of Bitcoin's supply had already been distributed, and almost no one had the opportunity to hear about it—was Bitcoin really a fair distribution?). Nevertheless, from day one, providing compensation for public goods within the protocol seems to be an important step towards obtaining sufficient and more credible neutral developer funding.

3. DeGov Needs to Conduct Protocol Maintenance and Upgrades

In addition to funding public goods, another equally important governance issue is protocol maintenance and upgrades. While I advocate minimizing all non-automated parameter adjustments (see the "Limited Governance" section below) and I am a fan of RAI's "non-governance" strategy, sometimes governance is unavoidable.

Price oracle inputs must come from somewhere, and sometimes that somewhere needs to change. Improvements must be coordinated in some way before the protocol "solidifies" into its final form.

What happens if the dollar collapses, and RAI has to scramble to create and maintain its own decentralized CPI index to keep its stablecoin stable and relevant? Here, DeGov is also necessary, so completely avoiding it is not a viable solution.

An important distinction is whether off-chain governance is feasible. For a long time, I have been a fan of supporting off-chain governance as much as possible. In fact, for the underlying blockchain, off-chain governance is absolutely possible. However, for application layer projects, especially DeFi projects, we encounter the problem that application layer smart contract systems often directly control external assets, and this control cannot be forked.

If Tezos's on-chain governance is captured by an attacker, the community can hard fork without incurring significant losses. If MakerDAO's on-chain governance is captured by an attacker, the community can certainly start a new MakerDAO, but they will lose all ETH and other assets in existing MakerDAO CDPs.

Therefore, while off-chain governance is a good solution for base layers and some application layer projects, many application layer projects, especially DeFi, inevitably require some form of formal on-chain governance.

4. DeGov is Dangerous

However, all current instances of decentralized governance come with significant risks. This discussion is not new for followers of my articles.

I am concerned that token voting has two main types of problems: (i) inequality and incentive imbalance exist even without attackers, and (ii) thorough attacks through various forms (often obfuscated) of vote buying. For the former, many proposed mitigations already exist (e.g., delegated voting), and more will come. But the latter is the more dangerous elephant in the room, and I believe there is no solution within the current token voting paradigm.

Even without explicit attackers, the problems of token voting are increasingly easy to understand and can be categorized into several types:

• A small group of wealthy participants is better at successfully executing decisions than a large group of small holders. This is due to the tragedy of the commons for small holders: each small holder's impact on the outcome is negligible, so they have little incentive to not be lazy and actually vote. Even if there are rewards for voting, there is little motivation to research and carefully consider the purpose of their votes.

• Token voting governance empowers token holders at the expense of other parts of the community: the protocol community consists of different constituencies with many different values, visions, and goals. However, token voting only empowers one constituency (token holders, especially the wealthy) and leads to an overestimation of goals that drive up token prices, even if this involves harmful rent-seeking behavior.

• Conflicts of interest: Granting voting rights to one constituency (token holders), especially over-empowering wealthy participants within that constituency, risks excessive exposure to conflicts of interest within that specific elite (e.g., investment funds or holders that also hold tokens from other DeFi platforms interacting with the relevant platform).

One main type of strategy is attempting to address the first problem (and thus also mitigate the third problem): delegated voting. Small holders do not have to personally judge every decision; instead, they can delegate to community members they trust. This is a noble and valuable experiment; we will see how effectively delegated voting can alleviate this issue.

Vitalik's Gitcoin page

On the other hand, the problem of token holder centralization is more challenging: token holder centralization is inherently embedded in a system where token holder voting is the only input. The mistaken belief that token holder centralization is an established goal rather than a flaw has caused confusion and harm. An article discussing blockchain public goods complained:

If ownership is concentrated in the hands of a few whales, can crypto protocols be considered public goods? In layman's terms, these market primitives are sometimes described as "public infrastructure," but if blockchains today serve the "public," it is primarily a form of decentralized finance. Fundamentally, these token holders have only one common concern: price.

This complaint is misguided. Blockchains serve a richer and broader public than just DeFi token holders. However, our token-driven governance system completely fails to capture this, and it seems difficult to establish a governance system that can capture this richness without a more fundamental change in the paradigm.

5. The Deep Fundamental Flaw of Token Voting: Vote Buying

Once attackers attempting to subvert the system enter the picture, the problems worsen. The fundamental flaw of token voting is easy to understand. Tokens in protocols with token voting bundle two rights into a single asset: (i) some economic interest in the protocol's revenue and (ii) the right to participate in governance. This combination is intentional: the goal is to align power and responsibility. But in practice, these two rights can easily be separated.

Imagine a simple wrapping contract with these rules: if you deposit 1 XYZ into the contract, you receive 1 WXYZ. WXYZ can be converted back to XYZ at any time, and it also generates dividends. Where do the dividends come from? Well, while the XYZ tokens are in the wrapper contract, the wrapper contract can use them in governance (proposing, voting on proposals, etc.) at will. The wrapper contract simply auctions off this right daily and distributes the profits to the original depositors.

As a holder of XYZ, is it in your interest to deposit tokens into the contract? If you are a very large holder, it might not be. You like the dividends, but you fear what a misaligned participant might do with the governance power you sold. But if you are a smaller holder, then it fits perfectly. If the governance rights auctioned off by the wrapper contract are bought by an attacker, you personally will only suffer a small portion of the bad governance decision costs caused by your tokens, but you will personally receive all the dividends from the governance rights auction. This situation is a classic tragedy of the commons.

Assume the decision made by the attacker harms the DAO, thereby benefiting the attacker. The harm caused by the successful decision to each participant is D, and the probability of a single vote swaying the outcome is P. Suppose the attacker bribes B, the game graph looks like this:

If B > D × P, you are inclined to accept the bribe, but as long as B < 1000 × D × P, accepting the bribe is collectively harmful. Therefore, if P < 1 (often far below 1), the attacker has the opportunity to bribe users into adopting negative network decisions, thus compensating each user less than the harm they suffer.

A natural criticism of the fear of voter bribery is: would voters really be so immoral as to accept such obvious bribes? Ordinary DAO token holders are enthusiasts who find it hard to feel satisfied with such selfish and blatant selling of the project. But this overlooks that there are more ambiguous ways to separate profit-sharing rights from governance rights without anything as explicit as a wrapper contract.

The simplest example is borrowing from DeFi lending platforms (like Compound). Those who already hold ETH can lock their ETH in a CDP (Collateralized Debt Position) on one of these platforms, and once they do, the CDP contract allows them to borrow an amount of XYZ equal to half the value of the ETH they deposited, and then they can do anything they want with this XYZ. To reclaim their ETH, they ultimately need to repay the XYZ they borrowed plus interest.

Note that throughout this process, the borrower has no financial exposure to XYZ. That is, if they vote using their XYZ to support governance decisions that harm XYZ's value, they do not lose a dime because of it. The XYZ they hold is XYZ, and they ultimately must repay it to the CDP, so they do not care whether its value goes up or down.

This achieves a disaggregation: the borrower has governance rights without economic interest, while the lender has economic interest without governance rights. Some DAO protocols are using techniques like time locks to limit people's ability to participate in such attacks, but ultimately time locks can be circumvented. In terms of security systems, time locks are more like paywalls on newspaper websites than locks and keys.

There are also centralized mechanisms that separate profit-sharing rights from governance rights. Most notably, when users deposit their tokens into a (centralized) exchange, the exchange fully holds these tokens and has the ability to vote with them.

This is not just theoretical. There is evidence that exchanges use users' tokens to vote in multiple DPoS systems. A recent notable example is the attempted hostile takeover of Steem, where exchanges used customers' tokens to vote in favor of some proposals that helped consolidate the acquisition of the Steem network, but most of the community strongly opposed it. This situation could only be resolved through a massive outflow, with a significant portion of the community moving to a different chain called Hive.

Currently, many blockchains and DAOs that adopt token voting have managed to avoid these attacks in their most severe forms. There are occasional signs of attempted bribery:

However, despite all these significant issues, simple economic reasoning suggests that direct bribery of voters is much less common, including through obfuscated forms like financial markets. A natural question to ask is: why have there not been more direct attacks?

My answer is that "why not yet" relies on three coincidental factors that are correct today but may become less so over time:

1) The community spirit comes from a closely-knit community where everyone feels camaraderie in a shared tribe and mission.

2) The wealth of token holders is highly concentrated and coordinated; large holders have a greater ability to influence outcomes and invest in long-term relationships with each other (both as venture capital's "old boys' club" and many other equally powerful but low-profile wealthy token holder groups), making them harder to bribe.

3) The financial markets for governance tokens are immature: ready-made tools for creating wrapped tokens exist in proof-of-concept form but are not widely used, bribery contracts exist but are similarly immature, and the liquidity in lending markets is low.

When a small group of coordinated users holds more than 50% of the tokens, and they and others are invested in a closely-knit community, and very few tokens are lent out at reasonable rates, all the above bribery attacks may remain theoretically possible.

But over time, regardless of what we do, (1) and (3) will inevitably become less true, and if we want DAOs to become fairer, then (2) must become less true. When these changes occur, will DAOs remain safe? If token voting cannot sustainably resist attacks, then what can?

6. Solution 1: Limited Governance

One possible mitigation for the above problems, which has already been attempted to varying degrees, is to limit what token-driven governance can do. There are several ways to achieve this:

1) Use on-chain governance only for applications, not for the base layer: Ethereum has already done this, as the protocol itself is governed through off-chain governance, while DAOs and other applications above it are sometimes (but not always) governed through on-chain governance.

2) Limit governance to fixed parameter choices: Uniswap does this, as it only allows governance to affect token distribution and the exchange's 0.05% fee. Another good example is RAI's "non-governance" roadmap, where governance can control fewer and fewer functions over time.

3) Add time delays: Governance decisions made at time T only take effect at, for example, T + 90 days. This allows users and applications who find the decision unacceptable to switch to another application (possibly a fork) before the governance decision takes effect. Compound has a time delay mechanism in its governance, but in principle, the delay can (and should) be longer.

4) Be more fork-friendly: Make it easier for users to quickly coordinate and execute forks. This reduces the rewards for capturing governance.

But limited governance itself is not an acceptable solution. The areas most in need of governance (such as funding allocation for public goods) are also the areas most vulnerable to attack. Public goods funds are easy to attack because attackers can profit from wrong decisions in a very direct way: they can attempt to push a wrong decision that sends funds to themselves. Therefore, we also need technology to improve governance itself…

7. Solution 2: Non-Token-Driven Governance

The second approach is to use forms of non-token-driven governance. But if tokens cannot determine an account's weight in governance, then what can? There are two natural choices:

1) Proof of Personhood Systems: A system that verifies that an account corresponds to a unique individual, so governance can allocate one vote per person. Some technical reviews are being developed here, with projects like ProofOfHumanity and BrightID attempting to achieve this.

2) Proof of Participation: A system that proves that an account corresponds to someone who has participated in a certain activity, passed some educational training, or done some useful work in the ecosystem. See POAP for how this can be achieved.

There are also hybrid possibilities: one example is quadratic voting, which makes the power of individual voters proportional to the square root of the economic resources they bring to the decision. Preventing people from gaming the system by allocating their resources to multiple identities requires proof of personhood, while the remaining financial component allows participants to credibly indicate their level of concern about a particular issue and their commitment to the ecosystem. Gitcoin quadratic funding is a form of quadratic voting, and quadratic voting DAOs are being built.

Proof of participation mechanisms are less well-known. The key challenge is that determining the level of participation itself requires a very robust governance structure. The simplest solution might be to guide the system with a carefully selected group of 10-100 early contributors, and then gradually decentralize over time as the standards for participation in the N+1 round are determined based on the selected participants in the N round. The possibility of forking helps provide a path to recover from governance derailment and provides an incentive.

Both proof of personhood and proof of participation require some form of anti-collusion to ensure that non-monetary resources used to measure voting rights remain non-financial resources, rather than ultimately entering smart contracts to sell governance rights to the highest bidder.

8. Solution 3: Skin in the Game

The third approach is to break the tragedy of the commons by changing the rules of voting itself. Token voting fails because while voters are collectively responsible for their decisions (if everyone votes for a bad decision, everyone's tokens will drop to zero), each voter is not individually responsible (if a bad decision occurs, those who supported it do not suffer more than those who did not). Can we establish a voting system that changes this dynamic, making voters personally responsible for their decisions, rather than just collectively?

If forks are completed in a fork-friendly manner, as Hive forked from Steem, fork-friendliness can be seen as a game strategy. If a destructive governance decision succeeds and is no longer opposed within the protocol, users can choose to fork. Moreover, in that fork, tokens that voted in support of the wrong decision can be destroyed.

This sounds harsh and may even feel like a violation of an implicit norm that the "immutability of distributed ledgers" should remain sacred and inviolable when forking tokens. But from a different perspective, this idea seems more reasonable. We maintain the idea of a strong firewall, where individual token balances are not expected to be violated, but only apply this protection to tokens that do not participate in governance. If you participate in governance, even indirectly by putting tokens into a wrapping mechanism, then you may be held accountable for the costs of your actions.

This creates personal accountability: if an attack occurs and your tokens vote in support of that attack, then your tokens will be destroyed. If your tokens did not vote in support of the attack, then your tokens are safe.

Accountability propagates upward: if you put tokens into a wrapper contract, and the wrapper contract votes in support of an attack, the balance of the wrapper contract will be cleared, and you will lose your tokens. If an attacker borrows XYZ from a DeFi lending platform, anyone who lent XYZ will fail when the platform forks (note that this makes lending governance tokens generally very risky; this is the expected outcome).

But the above only applies to preventing truly extreme decisions. What about small-scale heists? Unfairly benefiting attackers manipulating governance is economically viable, but not severe enough to cause catastrophic damage? What about simple laziness in the absence of any attackers, and the fact that token governance lacks the pressure to support higher-quality opinions?

The most popular solution to such problems is futarchy, introduced by Robin Hanson in the early 2000s. Voting becomes betting: voting in favor of a proposal means you are betting that the proposal will lead to good outcomes, while voting against it means you are betting that it will lead to bad outcomes. The reason futarchy introduces personal accountability is clear: if you bet well, you will get more tokens; if you bet poorly, you will lose your tokens.

It turns out that "pure" futarchy is difficult to introduce because, in practice, defining the objective function is challenging (people want more than just token prices!), but various hybrid forms of futarchy may be effective. Examples of hybrid futarchy include:

1) Voting as a Purchase Order: Voting in favor of a proposal requires creating an executable purchase order to buy additional tokens at a price slightly below the current token price. This ensures that if a bad decision succeeds, those who supported it may be forced to buy out their opponents, but it also ensures that in more "normal" decisions, token holders can make more decisions based on non-price criteria if they wish.

2) Retrospective Public Goods Funding: Refer to the Optimism team's post. Public goods are funded retrospectively through some voting mechanism after they have already achieved results. Users can purchase project tokens to fund their projects while indicating their confidence in them. If the project is deemed to have achieved its expected goals, the purchasers of the project tokens will receive a reward.

3) Upgrade Games: See Augur and Kleros. The value of lower-level decisions is consistently incentivized by the possibility of appealing to higher-level processes that require more effort but yield higher accuracy. Voters who agree with the final decision will receive rewards.

In the latter two cases, hybrid futarchy relies on some form of non-futarchy governance to measure the objective function or serve as a final layer of dispute resolution. However, this non-futarchy governance has several advantages that are not present when used directly: (i) it activates later, allowing access to more information, (ii) it is used less frequently, thus requiring less effort, and (iii) each use has greater consequences, making it easier to accept adjustments to the incentives of the final layer solely based on forks.

9. Hybrid Solutions

There are also some solutions that combine elements of the above techniques. Some possible examples include:

1) Time Delay plus Elected Expert Governance: This is a possible solution to the age-old dilemma of how to create a cryptocurrency-backed stable investment without risking governance being captured, where the locked funds can exceed the value of the tokens that yield profits.

Stablecoins use price oracles built from the median of values submitted by N elected providers (e.g., N=13), and token holders vote to select the providers, but they can only eliminate one provider per week. If users notice that token voting has brought in untrustworthy price providers, they have N/2 weeks to switch to a different price provider before the stablecoin transaction is interrupted.

2) Futarchy + Anti-Collusion = Reputation: Users vote with "reputation," a non-transferable token. If their decisions lead to the expected outcomes, users gain more reputation; if their decisions lead to undesirable outcomes, they lose reputation.

3) Loosely Coupled Token Voting: Token voting does not directly implement proposed changes but merely serves to publicly disclose its results, establishing legitimacy for off-chain governance to implement that change. This can provide the benefits of token voting while reducing risks, as if there is evidence that token voting was bribed or otherwise manipulated, the legitimacy of token voting will automatically decline.

But these are just a few possible examples. There is still much work to be done in researching and developing non-token-driven governance algorithms. The most important thing that can be done today is to rid ourselves of the idea that token voting is the only legitimate form of decentralized governance.

Token voting is appealing because it feels neutral: anyone can get some governance tokens on Uniswap. However, in practice, token voting may only seem safe today because its neutrality is flawed (i.e., most of the supply is held by a tightly coordinated group of insiders).

We should remain cautious of the idea that the current form of token voting is the "safe default." There is still much to observe about how they operate under greater economic pressures and in mature ecosystems and financial markets, and now is the time to begin experimenting with alternatives simultaneously.