Who Controls a DAO?

In honor of April Fools’ Day, I decided to write about a blockchain topic. The crypto economy is in the process of speedrunning their way from zero to a modern economy, and when you move that fast, a few things have to break along the way. One of those things is corporate governance.

Matt Levine’s “Money Stuff” is a financial newsletter that I can’t recommend enough. If you are at all interested in finance, stocks, and markets, it is funny and informative read. One of the recurring topics of Money Stuff is “who controls a company?” Quoting a bit of the newsletter:

Who controls a company? It’s a question we talk about from time to time, and the shareholders, the board of directors, the chief executive officer, and whoever has the keys to the front door all have good arguments that they are really in control.

You wouldn’t expect a this to be a problem for most companies, but it comes up a lot in disputes between the various parties who have ownership claims. CEOs go against the wishes of boards all the time–one notably refused to be fired and kept filing documents with the SEC as though he was still running the place–and Arm recently learned that “whoever has the keys to the front door” (or rather, the corporate seal) actually has a good ownership claim on Arm China.

The crypto version of this question is “who controls a Distributed Autonomous Organization (DAO)?” As with many other financial topics, adding a little bit of cryptography and a dose of “code is law” turns this problem up to 11, and a recent exploit against a DAO has started me thinking about the parallels.

What is a DAO?

For the uninitiated, a DAO is a little bit like the crypto version of a company. DAOs are organizations set up for a specific purpose whose membership (and associated voting power) is defined by ownership of a “governance token.” A governance token is like a normal cryptocurrency, but it comes with the ability to vote on proposals at the DAO. The founders of the DAO often hold large amounts of the governance token and are usually given management roles, which come with the ability to spend crypto tokens from the DAO’s wallet, ostensibly to make more money for the DAO. All of these rules are defined by a smart contract on a blockchain.

Generally, people interested in the purpose of the DAO fund the DAO by buying tokens, the same way interested parties buy shares in corporations. The founders are given some number of tokens, similar to founders of companies, and the remaining tokens are held by the DAO itself. Much like companies, which can issue shares, DAOs can also mint more governance tokens, but often need a vote to issue more than a certain cap.

Voting and proposals are generally set up such that any token holder can make proposals to the members of the DAO, and then all of the token holders get the chance to vote. For some DAOs, voting costs governance tokens, while other DAOs have free voting with voting power proportional to the number of governance tokens held by the voter. The latter case is similar to shareholder votes in companies.

Occasionally, DAOs give out some of their money (in the form of Ethereum or other coins) to holders of governance tokens, like a dividend, and other DAOs will offer to allow people to redeem their governance tokens for a fraction of the money held by the DAO, similar to a buyback.

DAOs have been used for many interesting things:

  • Tornado cash is a DAO that runs an anonymizer for Ethereum.
  • Venture DAO provides crypto investment to other DAOs.
  • ConstitutionDAO was founded to buy a copy of the US constitution. When it lost a bidding war against hedge fund manager Ken Griffin, the managers started returning ~$40 million in crypto to token holders.

But with the good come the bad (and the dumb):

  • The first DAO, simply called “The DAO,” had a bug in its code that allowed a thief to walk away with $60 million (at the time) worth of Ethereum. This hack resulted in a hard fork of the Ethereum blockchain to reverse the transaction.
  • A DAO called “SpiceDAO” paid $3 million for a copy of a script of an early Dune movie thinking they could make the movie. They overpaid by a factor of 100, and they neglected to buy movie rights.

Pulling the Rug

“Rug pulls” are a fact of life for DAO investors. A rug pull happens when the founder of a DAO disappears from social media and exercises their power as a manager to steal all of the cryptocurrency from the DAO’s coffers, leaving it broke. This is usually accompanied by the DAO’s website, social media accounts, and discord server (all of which are usually controlled by the founder) being shut down. Rug pulls are so common that $2.8 billion of crypto tokens were rug pulled in 2021.

Moreover, rug pulls appear to be illegal, at least according to the US government who arrested Ethan Nguyen and Andre Llacuna for pulling one. The thesis used to justify this arrest appears to be based on fraud: Nguyen and Llacuna accepted money promising to build a game, and instead they tried to disappear with it. The two are charged with conspiracy to commit fraud and conspiracy to commit money laundering.

A rug pull can generally only be done by the people who started the DAO, lending some credence to the “manager primacy” theory. In a normal company, there is also a pesky little thing called “fiduciary duty”: the managers of a company ostensibly have a duty to act in the interest of shareholders. Looting a company’s assets is a pretty straightforward breach of fiduciary duty.

The Hostile Takeover of BUILD Fianance

What if the person who pulls the rug isn’t the person who puts the rug there? What if they have made no promises at all? What if the token holders of the DAO have elected them to be the new manager in a legitimate election (after all, when code is law, no election can be illegitimate)? There is still the matter of fiduciary duty if you believe that DAOs and corporations should be governed by the same law, but at least there’s no fraud!

I usually stay away from crypto news, but there was a very interesting exploit of a DAO about a month and a half ago that caught my attention. BUILD Finance is a DAO that attempted to create a crypto investment fund that financed projects that use their token (also called BUILD). In February 2022, the BUILD Finance DAO was subject to a hostile takeover by a user going by “suho.eth,” who promptly drained the DAO’s accounts of all tokens, walking away with $500,000. BUILD Finance issued 130,000 tokens initially, and only 5,000 of them voted on the proposed change of manager: 5,000 in favor, and 0 opposed.

A few days before this exploit, suho.eth tried to play the same game with 2,000 build tokens. Luckily for the DAO, an automated discord bot was set up to notify users of votes, and one person voted against suho.eth on his first try. A few days later, suho.eth transferred some BUILD tokens to a new account and tried again. This time, the discord bot broke and didn’t send out a notification of the election. Elections for BUILD Finance ran for 24 hours, and during the following day, nobody noticed that there was an open proposal. The Discord chat was silent, and nobody voted against the proposal. With less than 5% of the outstanding BUILD tokens voting, suho.eth was made the manager of BUILD Finance.

Some time later, the BUILD Finance twitter account, presumably run by the founders of the DAO, announced that they had been subject to a “hostile governance takeover,” including a step-by-step description of how the exploit occurred. The twitter thread included such things as:

Team members have made direct contact with the attacker but there seems to be no appetite for a dialogue, much less any reparations. 15/18


We would welcome a discussion in the discord with community members about the way to move forward from this but it is difficult to see a future for BUILD with only its brand recognition and IP assets, and no liquid treasury. 16/18

From one perspective, it appears that the BUILD Finance DAO was hacked and ruthlessly stripped of its assets. Another perspective, however, is that the token holders elected new management and the new managers decided to fire the old employees, shut down operation, and spend the company cash on bonuses.

The top response to the tweet thread was:

You need to give this Twitter account over to the person who controls the DAO, you’re misrepresenting yourself on here by not doing so

It seems like many people prefer the second view. As of today, the BUILD Finance website is down, and it appears that the DAO has ceased operating. BUILD tokens are now worthless. The only thing protecting BUILD Finance from this outcome was a discord bot.

When we consider the sequence of events that happened to BUILD Finance, the step that is actually criminal under the fiduciary duty theory is the last step, spending the company cash on bonuses. The rest of the steps seem like a traditional hostile corporate takeover (I am not a lawyer and this is not legal advice).

What if the new management had instead decided to dissolve the DAO and return the assets to token holders? What if instead of taking all of the money, the new management had instead set up new voting rules and started operating the DAO in good faith? Then it would have been a hostile takeover. Whoever runs the DAO’s twitter account (and website) might not be so happy about this, but at that point, they wouldn’t really be able to claim that they are representatives of the DAO. They were the old management, and the token holders have replaced them. As with other corporate takeovers, the new management of the DAO could presumably claim a handsome bonus–perhaps 10% of the DAO’s assets–for their work.

Why Doesn’t This Happen with Companies?

A company has several safeguards against this sort of takeover. The first, as I already mentioned, is the law and the fiduciary duty requirement. It’s hard to use the law as a deterrent in countries that don’t extradite to your preferred venue.

The second safeguard is something that DAOs can acutally implement: in a normal company, abstaining from a shareholder vote is counted as a vote in favor of things not changing. This logic could easily be built into smart contracts. Thus, a change of management would require 51% of the token holders to actively vote for the new manager. This sounds like vote rigging, but it has reasonable logic: most people who aren’t voting are passive shareholders who are happy with the status quo. Overcoming their implied preference should have a high bar.

Companies also usually have specific voting windows (some DAOs do today), requiring proposals to be made during annual or quarterly shareholder meetings, and shareholder votes often run for weeks. In addition, there is a layer of indirection at typical companies. Shareholder’s don’t vote for managers, they vote for board members. The board then runs a private selection process for managers. Typically, only part of the board is up for election at any given time. Installing hostile management at a traditional company involves spending a year or more getting enough board members elected, then going through the process of a board vote to change the managers. It is a long and slow process, and it is hard to fly under the radar.

One final point is that voting on a proposal at a DAO is actually not free: you have to pay a gas fee to do anything on the blockchain, including voting on a DAO. Participating in shareholder votes is free, so a lot of shareholders generally do it.

Eventually, DAOs will likely discover similar rules to corporations, when they realize that they can’t avoid them. Some have adopted multi-signature wallets, which need approvals from multiple people to move the money, others have restricted voting windows, and more have eschewed decentralization and forced every proposal to get managerial approval before going to a vote. Personally, I think that the “abstension is a vote for the managers’ position” solution is an elegant balance–shareholders have some recourse against bad management, but only if a lot of them agree. Running every proposal through the managers doesn’t sound “decentralized” at all.

When crypto enthusiasts look at the long lists of arcane rules that govern the modern economy, it seems easy to do better. However, a lot of those rules were the result of learning from past economic hacks and exploits. Building your own system from the ground up, however fun it is, is usually a bad idea! I expect to see more DAOs learning the same lessons in the future. For now, though, my opinion of crypto topics will continue to be the following:

Have some fun in the economic sandbox, but be ready to lose your investment.

Subscribe for Email Notifications