DAO, where voting occurs only through Snapshot and execution through a multisig, risks centralization. How do you transition to full on-chain democracy without sacrificing security? We have developed dozens of such solutions over more than 5 years: from simple multisigs to platforms with veTokens and modular governance. Our experience shows that most DAO problems lie in the social layer, but without proper smart contract architecture, the social layer doesn't function. Let's break down on-chain architecture, common pitfalls in governance design, and specific configurations we use in production.
Governor Architecture on Solidity
OpenZeppelin Governor (OZ 5.x) is a modular framework: core logic + interchangeable modules for voting, counting, quorum, and timelock. Most production DAOs today use this or Governor Bravo (Compound).
The minimal configuration includes four modules: GovernorSettings sets votingDelay (7200 blocks ≈ 1 day), votingPeriod (50400 blocks ≈ 1 week), and proposalThreshold (e.g., 1000 tokens). GovernorCountingSimple handles FOR/AGAINST/ABSTAIN votes. GovernorVotes connects a token with delegation tracking (ERC20Votes). GovernorTimelockControl integrates a TimelockController for execution delay. Quorum is set via GovernorVotesQuorumFraction — typically 4% of total supply.
ERC20Votes: Voting Snapshots
ERC20Votes extends the standard ERC-20 by adding a _delegate mechanism and checkpoint history. Each transfer or delegation creates a checkpoint. When voting, the voting power at the proposalSnapshot block is used, not the current balance — this protects against purchasing tokens solely for voting.
// User must delegate to themselves (or another) to activate voting power
token.delegate(msg.sender);
// Voting power at snapshot time
uint256 power = token.getPastVotes(account, proposalSnapshot);
Important: tokens without delegation do not participate in voting. This often surprises new users. UX should remind users about delegation during first wallet interaction.
Proposal Lifecycle
- Preparation — create calldata via
abi.encodeWithSignature. - Creation — call
governor.propose(targets, values, calldatas, description). - Delay before voting —
votingDelay(usually 7200 blocks) fixes the snapshot. - Voting —
votingPeriod(50400 blocks). Participants vote FOR, AGAINST, or ABSTAIN. - Queue — if the proposal passes, it is placed in Timelock via
governor.queue. - Execution — after
timelockDelay, callgovernor.execute.
// Example: change protocol fee from 0.3% to 0.5%
address[] memory targets = new address[](1);
targets[0] = address(protocolFeeManager);
uint256[] memory values = new uint256[](1);
values[0] = 0;
bytes[] memory calldatas = new bytes[](1);
calldatas[0] = abi.encodeWithSignature("setFee(uint256)", 50); // 0.5% = 50 bps
governor.propose(targets, values, calldatas, "Increase protocol fee to 0.5%");
Why is Timelock Important?
TimelockController is a mandatory element of production DAOs. An approved proposal does not execute immediately: it is queued and executed after a delay (typically 2-7 days). This window allows the community to notice a potentially dangerous proposal and exit the protocol before execution.
TimelockController roles: PROPOSER (usually only the Governor contract), EXECUTOR (often address(0) — anyone), and CANCELLER (team multisig as a safety valve). Minimum delay is a safety parameter. 48 hours is the absolute minimum for a protocol with real funds; Compound and Aave use 2-7 days.
Example TimelockController Configuration
timelock = new TimelockController(
minDelay, // 172800 - 2 days
proposers, // array: address(governor)
executors, // array: address(0) - anyone
admin // team multisig (CANCELLER)
);
Treasury Management
DAOs typically manage a treasury — protocol reserves. The standard pattern: treasury is the TimelockController itself (it holds ETH and tokens), or a separate contract like Gnosis Safe with Governor as the sole owner. For small DAOs or early stages: Gnosis Safe with multisig + Zodiac SafeSnap module, which executes Snapshot.org votes on-chain. This is cheaper (gasless off-chain voting) and sufficient until enough active holders accumulate for on-chain governance. Transitioning from multisig to full on-chain governance is a separate milestone. Typical path: multisig (launch) → multisig + Snapshot (community growth) → full on-chain Governor (mature protocol).
A treasury 100% composed of native tokens is high risk. A bear market collapses runway. Production DAOs diversify: 20-30% USDC/DAI for operational needs, the rest native tokens. Diversification is done via a governance-approved proposal for a DEX swap or OTC deal.
How to Protect a DAO from Governance Attacks?
Flash Loan Attack
Attack: flash loan → gain temporary control over many tokens → delegate to yourself → create or push a proposal → repay loan. For proposal creation: proposalThreshold must be high enough. For voting: proposalSnapshot is fixed in the past, so a flash loan doesn't help (no delegation history exists in the current block). ERC20Votes is protected against flash loan attacks on voting precisely due to the checkpoint mechanism. Protection against flash loan attacks prevents potential losses ranging from $50,000 to $5,000,000. Vulnerability exists only on proposalThreshold if it is set too low.
Proposal Spam and DoS
Without a proposal creation threshold, the protocol gets flooded with garbage proposals. proposalThreshold (minimum tokens to create a proposal) is mandatory. Typical values: 0.1% - 1% of total supply.
Governance Takeover
If an attacker accumulates >50% voting power (or >quorum with low turnout), they can pass any proposal. Defenses: high quorum (4-10% of supply), Timelock with sufficient delay (7 days), Guardian multisig with CANCELLER role in TimelockController, GovernorPreventLateQuorum — extends the voting period if quorum is reached at the last moment (prevents last-minute whale swings).
Upgrades via DAO
Smart contracts are upgraded via DAO proposal + timelock. Upgradeability patterns: UUPS/Transparent Proxy with Governor as proxy owner — proposal calls upgradeTo(newImplementation). Timelock gives the community time to verify new code before activation. Alternative: modular architecture without proxy — each module is replaced via governance. Less risky than a full upgrade.
Delegation and Off-Chain Coordination
Most token holders do not vote directly. Compound introduced the delegate concept: token holders delegate voting power to known participants (researchers, core contributors, DAO specialists). A delegate profile is a Discourse/Mirror post with positions on key issues. Implemented via ERC20Votes.delegate(). Delegation does not transfer tokens — only voting power. Snapshot.org is gasless voting via message signing. Used for signal votes (temperature checks) not tied to on-chain actions. Typical two-step process: temperature check on Snapshot (gasless) → on-chain proposal with 60%+ support.
Comparison of Solutions: OZ Governor vs Governor Bravo vs Custom
| Feature | OpenZeppelin Governor | Governor Bravo (Compound) | Custom DAO |
|---|---|---|---|
| Modularity | High (interchangeable modules) | Medium (replaced via upgrade) | Any |
| Gas Efficiency | Medium (many delegatecalls) | Low (mostly on-chain) | Optimized |
| Feature Support | Timelock, votes, quorum fraction | Snapshot, delegated voting | Unlimited |
| Audited | Many production instances | Compound v2/v3 | Full audit required |
| Setup Complexity | Medium (30+ min) | Low (template) | High |
Estimated DAO Development Timelines
| Stage | Basic DAO | Custom Platform |
|---|---|---|
| Analysis and Design | 1-2 days | 1-2 weeks |
| Smart Contract Development | 2-3 weeks | 4-8 weeks |
| Integrations (Snapshot, Tally) | 1-2 weeks | 2-4 weeks |
| Audit | 2-3 weeks | 3-6 weeks |
| Deployment and Documentation | 1 week | 2-3 weeks |
Development cost depends on complexity: a security audit can range from $10,000 to $100,000 depending on code volume and required test coverage.
Our Work Process
- Analysis and Design — define governance model, voting types, treasury composition.
- Smart Contract Development — Governor, voting token, timelock, custom modules (staking, gauge, bribes). We use Solidity 0.8.x and Foundry for testing.
- Integrations — connect Snapshot, Tally, Boardroom, The Graph for indexing.
- Audit — internal review + external audit (contracts checked for reentrancy, oracle manipulation, flash loan).
- Deployment — mainnet deploy with Etherscan verification, Guardian multisig setup.
- Documentation and Training — user guides, trusted delegate descriptions, runbook for the team.
- Support — 30 days post-launch: monitoring, bug fixes, integration consulting.
What's Included
- Smart contract source code with full Foundry test coverage.
- Architectural, deployment, and usage documentation.
- Contracts deployed on mainnet (or testnet on request).
- Integration with Tally/Snapshot for off-chain voting.
- Internal and external audit results.
- 30 days of technical support post-launch.
Our team consists of senior developers with years of experience in Solidity and Rust. We have completed 20+ projects and dozens of audits. We guarantee transparency at every stage: all contracts are open source, audited by an independent firm, with post-update reviews. Contact us for a preliminary assessment of your project. Get a consultation on your DAO architecture — we'll estimate complexity and timeline.
According to OpenZeppelin Governor Documentation, Governor is the reference implementation for on-chain governance.
Development timelines: a basic DAO with OZ Governor and Timelock takes 2 to 3 weeks of development plus audit. A full-featured platform with custom modules takes 3 to 6 months. Pricing is determined individually after requirements analysis. Contact us for a preliminary assessment.







