Skip to content

DAOs, Governance & Cross-Chain Bridges

Every page in this part built a primitive — a token standard, an AMM, a lending market, a stablecoin, an oracle. Each one answered the same quiet question in a different way: where does the trust live? This page closes the part on the two seams where that answer is most fragile.

The first seam is governance: once a protocol is live and holds billions of dollars, who is allowed to change it? The answer, for most of DeFi, is a DAO — a decentralized autonomous organization — where changes are decided by token-weighted votes executed on-chain. The second seam is bridges: a token minted on Ethereum cannot natively exist on another chain, so how does value cross? Both seams reuse machinery you already understand — ERC-20 tokens, multisigs, the state-transition function — and both are where the word “trustless” most often turns out to be marketing. This page shows how each works, and exactly where each breaks.

Recall from the account model that a contract can hold funds and run code that no single human controls. A DAO takes that one step further: it makes the rules for changing a protocol themselves a contract. Instead of a company deciding to raise a lending market’s interest rate or a DEX’s fee, a proposal is submitted on-chain, token holders vote, and if it passes, the contract itself executes the change.

The crucial reuse is this: voting power is just an ERC-20 balance. A protocol issues a governance token — UNI, AAVE, COMP, MKR — and one token is (usually) one vote. There is no separate registry of “members.” The same balanceOf mapping that tracks who owns the token is the electorate. Your right to change the protocol is denominated in the same units as your stake in it.

a governance action is a full loop, all on-chain:
1. PROPOSE someone with enough tokens submits a proposal:
"call setInterestRate(0x…, 5%) on the lending contract"
2. VOTE token holders cast for / against / abstain,
weighted by their token balance (or delegated weight)
3. QUORUM did enough total voting weight participate?
│ yes, and more "for" than "against"
4. TIMELOCK the passed action is QUEUED, not run — a delay (e.g. 48h)
during which anyone can read exactly what will execute
5. EXECUTE after the delay, the Governor contract calls the target.
the protocol changes itself.

Nothing here is a metaphor. The proposal is literally an encoded call — a target address, a function selector, and arguments — that the governance contract will CALL if the vote passes. Governance is a smart contract whose job is to decide which other contract calls to make.

Each stage exists to defend against a specific failure. Understanding governance means understanding what each knob is for.

  • Proposal threshold. You usually need a minimum token balance (or delegated weight) to submit a proposal at all. Without it, anyone could spam the contract with garbage proposals and drown out real ones. The threshold is a spam filter priced in tokens.
  • Quorum. A proposal passes only if the total voting weight that participated exceeds some floor — say 4% of all tokens. Without a quorum, a proposal that three people voted on could rewrite a protocol holding billions. Quorum forces a minimum of legitimacy.
  • Voting period. Votes are open for a fixed window (often measured in blocks — a few days). Long enough that holders can notice and react; short enough that the protocol isn’t frozen for weeks.
  • Delegation. Most token holders never vote. Delegation lets you assign your voting weight to someone who does — a delegate who researches proposals and votes your tokens’ worth without ever custodying them. It concentrates attention without concentrating ownership.
  • Timelock. The single most important safety device. A passed proposal does not execute immediately; it is queued behind a delay. During that delay, everyone can read the exact call that is about to run. If it drains the treasury, users have a window to exit and the community has a window to react. The timelock turns a governance attack from an instant theft into a visible, contestable event.

Stripped to its essence, a governance contract is a proposal registry plus a vote tally plus an executor. The real thing (OpenZeppelin’s Governor, Compound’s GovernorBravo) has far more, but the shape is small:

struct Proposal {
address target; // contract to call if it passes
bytes callData; // the exact call, e.g. setInterestRate(...)
uint256 startBlock; // block at which voting weight is snapshotted
uint256 forVotes;
uint256 againstVotes;
uint256 deadline; // block number voting closes
uint256 queuedAt; // timestamp the passed proposal was queued
bool executed;
}
function castVote(uint256 id, bool support) external {
// voting weight = the voter's token balance at proposal creation,
// snapshotted so you can't vote, sell, rebuy, and vote again.
uint256 weight = token.getPastVotes(msg.sender, proposals[id].startBlock);
if (support) proposals[id].forVotes += weight;
else proposals[id].againstVotes += weight;
}
function execute(uint256 id) external {
Proposal storage p = proposals[id];
require(block.number > p.deadline, "voting open");
require(p.forVotes > p.againstVotes, "rejected");
require(p.forVotes >= quorum, "no quorum");
require(block.timestamp >= p.queuedAt + TIMELOCK,"timelocked");
p.executed = true;
(bool ok, ) = p.target.call(p.callData); // the protocol changes itself
require(ok, "execution failed");
}

The line token.getPastVotes(msg.sender, startBlock) is quietly load-bearing. Voting weight is read from a snapshot taken when the proposal was created, not the live balance. Without that snapshot, an attacker could vote, transfer the same tokens to a fresh address, and vote again — or, worse, borrow tokens for the exact block they vote. The snapshot is the first line of defense against the attacks below. It is not always enough.

The failure modes of token-weighted voting

Section titled “The failure modes of token-weighted voting”

Token-weighted governance is elegant and, on inspection, deeply uncomfortable. “One token, one vote” is not democracy — it is plutocracy by construction. Money is the franchise. Every failure mode below is a consequence of that one design choice.

  • Plutocracy. Whoever holds the most tokens decides. If a founding team, a VC fund, or a single whale holds a majority (or an effective majority given low turnout), the “decentralized” organization is a monarchy with extra steps. The token distribution is the political constitution.
  • Low turnout. Most token holders never vote. When quorum is 4% and turnout is 6%, a small, motivated, well-capitalized group decides for everyone. Apathy doesn’t spread power — it concentrates it, because the few who show up are the ones with the most at stake or the most to gain.
  • Vote-buying and bribery. Because votes are transferable tokens, a market for them naturally emerges. Protocols like “vote-incentive” markets let anyone pay delegates to vote a certain way. Sometimes this is legitimate coordination; sometimes it is a subsidy for capturing a treasury.
  • Governance attacks via borrowed votes. The sharpest edge. If voting weight is tokens, and tokens can be borrowed, then voting weight can be borrowed. An attacker doesn’t need to own a majority — they need to hold one for the moment of the vote.

This is the same atomicity that made flash-loan oracle manipulation possible, aimed at a different target. A flash loan lets anyone wield an enormous balance for exactly one transaction. If a governance contract counts live token balance as voting weight, an attacker can:

══════════════ ONE ATOMIC TRANSACTION ══════════════
1. FLASH-BORROW a huge amount of the governance token.
2. VOTE / EXECUTE push through a proposal that drains the treasury
or grants the attacker control.
3. REPAY the flash loan.
4. KEEP whatever the passed proposal handed over.
═════════════════════════════════════════════════════

This is exactly why the snapshot and the timelock exist. A proposal that reads voting weight from a past block defeats the borrow-and-vote-in-one-block move, because the attacker had no balance at the snapshot. And a timelock means that even a proposal that did pass cannot execute instantly — giving the community a window to notice and, if the protocol has an emergency guardian, cancel it. Governance safety is the story of moving the decisive moment away from any single, cheap, borrowable instant.

Bridges: why a token can’t leave its chain

Section titled “Bridges: why a token can’t leave its chain”

Now the second seam. You hold USDC on Ethereum and you want to use it on another chain — an L2 like Arbitrum, or an entirely separate chain. You cannot simply “send” it there. Understanding why not is the whole point.

A token is not a coin that physically moves. From the token standards page, a token balance is a row in a mapping inside one specific contract on one specific chain. Ethereum’s validators know nothing about any other chain’s state, and vice versa — each chain is a closed state machine that only agrees on its own history. There is no shared ledger between two chains, so there is no operation that decrements your balance on chain A and increments it on chain B atomically. The chains cannot see each other.

So a bridge cannot move a token. It can only do the next best thing: lock the real token on the source chain, and mint a stand-in on the destination chain that represents a claim on the locked original.

LOCK-AND-MINT (going from Ethereum → other chain)
Ethereum (source) Chain B (destination)
┌────────────────────┐ ┌────────────────────┐
│ you send 100 USDC │ │ │
│ into the BRIDGE │ bridge sees it │ bridge MINTS │
│ LOCK contract ────┼──────────────────►│ 100 "bridged │
│ (funds frozen here)│ & relays a msg │ USDC" to you │
└────────────────────┘ └────────────────────┘
real tokens IOU / claim token
held in escrow redeemable 1:1
BURN-AND-RELEASE (coming back, other chain → Ethereum)
Chain B Ethereum
┌────────────────────┐ ┌────────────────────┐
│ you BURN your 100 │ bridge sees the │ bridge UNLOCKS the │
│ bridged USDC ────┼──────────────────►│ 100 real USDC ─────┼─► you
│ (destroyed) │ burn & relays │ from escrow │
└────────────────────┘ └────────────────────┘

The symmetry is the invariant: for every stand-in token minted on the destination, exactly one real token is locked on the source. As long as that holds, the bridged token is fully backed and redeemable 1:1. The entire security of a bridge reduces to one question: can anyone mint a stand-in without a real token being locked, or unlock a real token without a stand-in being burned? If yes, the peg breaks and the escrow is drained.

Notice what “the bridge sees it” quietly requires. Chain B’s contract must be convinced that a lock really happened on Ethereum — but Chain B cannot read Ethereum’s state. Some off-chain actor has to attest to it. That attester is the entire trust model of the bridge, and it is the crack the exploits walk through.

A bridge is, by construction, a single pot of pooled collateral guarded by whatever mechanism decides when to mint and unlock. Every user’s locked funds sit in one escrow. And the decision to release them rests on an off-chain attestation — usually a multisig (a small set of keys, say 5-of-9, that must agree) or a validator set (a set of nodes running the bridge’s own consensus).

Stack those facts and the danger is stark:

  • The value at risk is the sum of everything ever bridged — often hundreds of millions or billions of dollars in one contract.
  • The thing protecting it is a handful of signing keys or a bespoke validator set — not Ethereum’s full economic security, but a much smaller, much cheaper-to-compromise trust set that the bridge team chose.
  • The attack surface is maximal: a bug in the message-verification code, a compromised set of keys, or a forged proof means someone can mint stand-ins (or unlock originals) without the matching lock or burn.

This is why bridges are, empirically, the single most exploited component in the entire ecosystem. They violate the throughline of this book in the most direct way possible: they take value secured by the full might of a chain’s consensus and re-secure it behind a much smaller trust assumption — a multisig or a validator set — while pooling everyone’s funds into one target. You have re-introduced exactly the trusted third party that the base layer spent enormous energy eliminating.

Tying the part together: where trust lives

Section titled “Tying the part together: where trust lives”

Step back across the whole part. Every primitive re-answered the same question — where does the trust live? — and each answer had a different failure mode:

  • A token (ERC-20/721/1155) puts trust in the issuing contract’s code and its admin keys.
  • An AMM puts trust in an invariant (x·y = k) and the depth of a pool — thin pools are cheap to move.
  • A lending market puts trust in over-collateralization and a liquidation mechanism that must fire in time.
  • A stablecoin puts trust in either collateral you can verify or an algorithm you must believe — and the algorithmic kind can spiral.
  • An oracle puts trust in the honesty and liveness of whoever reports the price.
  • Governance puts trust in a token distribution — and “one token, one vote” is plutocracy that a flash loan can briefly rent.
  • A bridge puts trust in a multisig or validator set guarding one pooled escrow — the smallest, richest target in the ecosystem.

The base layer of Ethereum spends real resources — staked ETH, finality, a global validator set — to make trust expensive to betray. Every primitive above it re-answers where trust lives, and every one of them, to be useful, accepts a trust assumption cheaper than the base layer’s. That is not a flaw to be shamed; it is the cost of building anything expressive. But it is exactly why governance and bridges are where the “trustless” story most often breaks: they are the two places where the softest trust assumption guards the largest pot of money. Read every new protocol the same way — not “is this trustless?” (nothing is), but “where, precisely, has this moved the trust, and what does it cost to betray it?”

Bridges and DAOs are two major technologies that both re-locate trust, so they earn a shared lens.

  • Why do they exist? DAOs exist because a live protocol holding billions still needs to change — parameters, upgrades, treasury spending — and no single company should hold that power over “decentralized” infrastructure. Bridges exist because each chain is a closed state machine that cannot see any other, so value that needs to be usable on more than one chain requires an explicit lock-and-mint mechanism to represent it elsewhere.
  • What problem do they solve? Governance turns “who is allowed to change this?” from an off-chain, trusted-team question into an on-chain, token-weighted, publicly-auditable process with proposals, quorum, and timelocks. Bridges turn “my token only exists on chain A” into “a claim on my token is usable on chain B,” unlocking cross-chain liquidity and multi-chain applications.
  • What are the trade-offs? Governance trades a trusted team for plutocracy, low turnout, vote-buying, and borrowable-vote attacks — you decentralize the process but the power still tracks the token distribution. Bridges trade a token’s chain-native security for a much smaller trust set (a multisig or validator set) guarding one pooled escrow — you gain interoperability and inherit the largest single-point-of-failure in the space.
  • When should I avoid them? Avoid token-weighted governance for decisions that must be fast, secret, or resistant to capital — a flash loan can rent a majority; use timelocks, snapshots, and guardians, or don’t put drainable power behind a live vote at all. Avoid bridging value you cannot afford to lose to a bespoke trust set; prefer canonical/native bridges with the narrowest trust assumptions, and never treat a bridged token as identical in risk to the original.
  • What breaks if I remove them? Remove governance and a protocol either ossifies (can never fix a bug or adjust a parameter) or quietly retains a trusted admin key — the very centralization it claimed to escape. Remove bridges and every chain becomes an island: liquidity cannot flow between L2s or ecosystems, and the multi-chain world collapses back into isolated ledgers. Keep them, and you keep the two seams where the ecosystem’s trust is thinnest — which is why they are worth understanding most.
  1. In a token-weighted DAO, what is the electorate — where does voting power actually come from, and what existing standard is reused to represent it?
  2. Walk the five stages of an on-chain governance action from proposal to execution. What specific failure does the timelock stage defend against, and why is it the single most important safety device?
  3. Explain the flash-loan governance attack. What two mechanisms (one at vote time, one at execution time) make it much harder, and why does each help?
  4. Why can a token not natively “leave” its chain? Describe the lock-and-mint / burn-and-release pattern and state the one invariant that keeps a bridged token fully backed.
  5. Bridges are the single most exploited component in the ecosystem. Give the structural reason (not a specific bug), and use Ronin and Wormhole to name two different ways that structure fails.
Show answers
  1. The electorate is simply the set of governance-token holders, weighted by balance — there is no separate membership registry. The reused standard is ERC-20: the same balanceOf mapping that tracks token ownership is the record of voting power (one token, one vote). Your right to change the protocol is denominated in the same units as your stake in it.
  2. (1) Propose — someone above the proposal threshold submits an encoded call. (2) Vote — holders cast for/against/abstain, weighted by (possibly delegated) token balance. (3) Quorum — enough total weight must participate, and “for” must beat “against.” (4) Timelock — the passed action is queued behind a delay, not run immediately. (5) Execute — after the delay, the Governor contract calls the target. The timelock defends against a malicious-but-passed proposal executing instantly: during the delay everyone can read the exact call about to run, users can exit, and a guardian can cancel — it turns an instant theft into a visible, contestable event.
  3. Because voting weight is an ERC-20 balance and tokens can be borrowed, an attacker can flash-borrow a majority of the governance token, vote/execute a malicious proposal, and repay — all in one atomic transaction, without ever owning a majority. Two defenses: (a) snapshot voting weight at proposal-creation block (getPastVotes) so a balance borrowed now counts as zero — the attacker had nothing at the snapshot; (b) a meaningful timelock so even a passed proposal cannot execute in the same instant, giving the community a window to notice and cancel. Together they move the decisive moment away from any single cheap, borrowable block.
  4. A token balance is a row in a mapping inside one contract on one chain, and chains cannot see each other’s state — so there is no operation that atomically decrements a balance on chain A and increments it on chain B. A bridge instead locks the real token in escrow on the source chain and mints a stand-in (claim token) on the destination; coming back, it burns the stand-in and releases the original. The invariant: for every stand-in minted on the destination, exactly one real token is locked on the source — that 1:1 backing is what keeps the bridged token redeemable.
  5. Structurally, a bridge pools enormous value in one escrow but protects it with a much smaller, cheaper trust set (a k-of-n multisig or a bespoke validator set) than the chain’s own consensus — so the cost to compromise the trust set is far below the value it guards, making it the biggest single point of failure. Ronin (March 2022, ~$625M): the trust set was 9 keys / 5 required, and the attacker captured 5 keys, signing a valid quorum to drain the escrow — no smart-contract bug, the keys were the security. Wormhole (February 2022, ~$326M): a flawed signature check let the attacker forge a “funds were locked” attestation, minting 120,000 wrapped ETH with nothing locked behind it — breaking the 1:1 invariant via a code bug rather than stolen keys. Same outcome (stand-ins minted without matching originals), two different structural failures.