Regulate Web3 Apps, Not Protocols
Part III: The Web3 DAO Dilemma

Miles Jennings

This is the third part in a series, “Regulate Web3 Apps, Not Protocols”, which establishes a web3 regulatory framework that preserves the benefits of web3 technology and protects the future of the Internet, while reducing the risks of illicit activity and consumer harm. The central tenet of the framework is that businesses should be the focus of regulation, whereas decentralized, autonomous software, should not.

In previous articles (parts one and two), we outline the “Regulate Web3 Apps, Not Protocols” framework — a regulatory approach generally consistent with the one used in the United States to regulate Internet technologies such as email, websites and computer networking. The framework can accomplish a wide range of legitimate policy objectives, including to support innovation and to provide clear regulatory guidance regarding the web3 apps made available to users. 

Although the framework is intended to encourage the adoption of regulations that can lead designers, developers, and other builders to create compliant web3 apps, the framework does not (as currently constructed) fully address the potential for bad actors to exploit the unique characteristics of web3 technology to profit from the circumvention of well-intentioned, app-based regulation. In particular, this issue arises due to the value accrual and semi-autonomous activity that web3 protocols make possible. Together these characteristics enable the decentralized autonomous organizations (DAOs) that maintain and administer the affairs of web3 protocols to operate more like businesses than software, yet still be positioned outside the scope of app-based regulation. We call this problem the Web3 DAO Dilemma. 

To overcome the Web3 DAO Dilemma it is necessary to add safeguards that augment the framework, align incentives towards regulatory compliance, and ensure that the legitimate policy objectives of web3 app-based regulations can be achieved. However, such safeguards must be carefully designed so as not to jeopardize any of the fundamental principles of protocols, which must be open source, decentralized, autonomous, standardized, censorship resistant and permissionless in order to foster an open, free, and credibly neutral Internet.

In this third part of our series, we describe the Web3 DAO Dilemma in detail and discuss the importance of DAOs in web3. In addition, we demonstrate how policymakers and regulators can design safeguards within the bounds of the framework to address the dilemma, and then provide protocol and decentralized governance design tips to enable compliance with such safeguards, all while protecting the fundamental principles of protocols.

The Web3 DAO Dilemma

With the advent of any new technology comes the risk that such technology will be used for illicit purposes. However, regulation of new technologies does not need to eliminate the possibility of illicit use to be effective. This is particularly the case if the elimination of illicit activity would require regulation that is so burdensome that it negates the benefits of the technology or stifles innovation of potentially beneficial technologies. Rather, effective regulation should be calibrated to reduce the risk of illicit use and to remove incentives that run counter to policy objectives, such that the benefits of a given technology are likely to significantly exceed its costs, including those that may arise from illicit use. This is a standard problem in traditional regulated markets, where regulation can never ensure absolute compliance; it can only seek to incentivize compliance, including by subjecting individuals who do not comply to enforcement actions by government agencies. 

For the Internet, this has historically meant that governments around the world have forgone regulation of web1 protocols — communications protocols such as HTTP (data exchange for websites), SMTP (email), and FTP (file transfers) — even though bad actors can and do use them to facilitate illicit activity. This is because these protocols produce public benefits (the ability to move information at the speed of light) that significantly outweigh the potential costs associated with their illicit uses and because illicit uses can be addressed by other means. For instance, the United States does not require SMTP to block phishing emails, but it does regulate businesses operating email apps and pursue individuals that perpetrate crimes via email. Meanwhile, it’s impossible to quantify the benefits of transferring information at the speed of light or to imagine what the world would be like if the global Internet had instead been broken up by country based on conflicting regulatory schemes.

Similarly, the “Regulate Web3 Apps, Not Protocols” framework argues that we should not seek to regulate web3 technology in a manner that would eliminate the possibility of illicit use of the technology. Instead, app-based regulation can be used to ensure that the public benefit produced by web3 protocols (the ability to transfer value at the speed of light, new forms of native internet functionality, etc.) outweighs the potential costs associated with illicit uses of such protocols, and such illicit activity can be addressed by other means. Similar to web1 protocols, the United States does not need to regulate decentralized exchange protocols (DEXs) — a type of web3 protocol that enables the peer-to-peer exchange of digital assets — when it can apply regulatory obligations to businesses operating apps that provide users with access to DEXs (as described in part two) and pursue individuals that engage in illicit trading using DEXs.

However, the unique characteristics of web3 protocols (as compared to web1 protocols) means that the web1 analogy can only extend so far. Web1 protocols do not accrue value and are autonomous, which means that there is no one who profits from the general use of web1 protocols or acts on their behalf. For example, there are no stakeholders of the SMTP protocol — no one receives fees through the protocol when emails are sent and no one is incentivized to encourage general use of the protocol. Conversely, web3 protocols can have their own mechanisms for value accrual (e.g., fee accruals, transaction commissions, etc.) and mechanisms for semi-autonomous decision making and activity (e.g., DAOs). As a result, web3 protocols can be designed to accrue value to a protocol’s governance tokenholders and to incentivize such tokenholders to encourage use of the protocol.

These differentiating characteristics are features, not bugs, and they underpin web3’s core value proposition, as discussed further below under the heading “The Role of DAOs in Web3”.   However, potential complications arise where these characteristics of web3 protocols overlap with regulated activity. In particular, where web3 protocols facilitate otherwise regulated activity, these characteristics could create incentives that lead to an increase in activity that circumvents such regulation. It stands to reason that, without additional safeguards that limit the misalignment of incentives that can arise from these characteristics, web3 app-based regulation may be less likely than web1 app-based regulation to successfully achieve policy objectives. 

To illustrate this issue, consider a DEX protocol designed to take commissions on each trade executed on the DEX and distribute such fees to members of the DEX’s DAO. The DEX’s DAO is responsible for the administration and maintenance of the DEX, which includes funding ongoing development work and setting fee structures. However, to preserve the decentralized, autonomous and permissionless nature of the protocol, the DAO does not have the ability to block trading or control what assets can be traded through the DEX. The DEX is initially launched with a user-facing website (i.e., it’s app) that is compliant with a hypothetical web3 app-based regulation in the United States that prohibits the facilitation by businesses of trading tokenized securities or derivatives on DEXs. At launch, all trading occurs through the DEX’s compliant app, which does not list any tokenized securities or derivatives for trading. Because the DEX’s app is compliant, we can assume that the collection and distribution of trading commissions is compliant without any actual regulatory compliance burdens being applied directly to the DEX or the DAO itself, which is in line with the “Regulate Web3 Apps, Not Protocols” framework.

Although the DEX’s app is compliant (and thus provides protection against illicit trading activities), third parties could still use the DEX for illicit purposes. For example, users could trade tokenized securities and derivatives by directly interacting with the DEX’s smart contracts; and third-party developers could launch their own non-compliant apps for users to trade tokenized securities and derivatives. While unfortunate, such non-compliant uses are an inevitable consequence of building open and permissionless Internet protocols across both web1 and web3. For example, even if an email app like Gmail could block the sending of phishing emails, individuals would nevertheless be able to send phishing emails by directly interacting with the SMTP protocol or by using email apps that did not restrict such activity. 

However, if the DEX’s DAO were legally permitted to profit from illicit trading, the policy objectives of the app-based regulatory regime (protecting investors by limiting the trading of tokenized securities and derivatives on DEXs) would likely be undermined. In particular, because the DAO would profit from illicit trading, it would be financially incentivized to facilitate and encourage such trading (and likely contribute to an overall increase in such trading). The DEX’s DAO could do this in any number of ways, including by operating a non-compliant app, funding the third-party development of non-compliant apps, or funding the marketing of non-compliant third-party apps. Even though regulators could seek to shut down these non-compliant apps, the mere existence of the counterproductive incentive structure and the DAO’s ability to act on it could ultimately undermine the policy objectives of any app-based regulatory regime targeting DEX apps alone to ensure compliance.

Nevertheless, as outlined in part one of this series, the hypothetical regulation (prohibiting the facilitation of trading tokenized securities or derivatives on DEXs) cannot be applied to the DEX or its DAO without jeopardizing the DEX’s utility as a protocol. For example, a regulation that prohibits the DEX (or the DAO via its development, operation, administration, or maintenance of the DEX) from facilitating the trading of tokenized securities or derivatives in a given jurisdiction would jeopardize the decentralized and autonomous nature of the protocol. In particular, there’s no way for a decentralized and autonomous protocol like a DEX to perform a subjective analysis required to determine whether an asset is a security or derivative without adding human intermediaries, thereby negating the protocol’s decentralization and autonomy. Further, requiring that the DEX’s DAO be empowered to be able to limit access to the DEX to only compliant apps would make the DEX itself permissioned, thereby eliminating its function as public infrastructure upon which any developer can build.

We refer to this tension regarding DAOs as the Web3 DAO Dilemma, and can summarize it as follows:

  • On the one hand, regulation must not violate the fundamental principles of protocols, which must be open source, decentralized, autonomous, standardized, censorship resistant and permissionless in order to foster an open, free, and credibly neutral Internet. 
  • On the other hand, a regulation’s potential to achieve its policy objectives is dependent on its ability to incentivize compliance, so any web3 app-based regulatory framework must be capable of eliminating the incentivization of non-compliance, including the facilitation of non-compliance by DAOs.

The role of DAOs in web3

The most obvious solution to the Web3 DAO Dilemma would be to design web3 protocols that do not have any potential value accrual and that are fully autonomous — essentially, to make web3 protocols DAO-less. However, that would be a grave mistake that would jeopardize the potential of web3. DAOs provide several critical benefits that underpin web3’s core value proposition. 

First, DAOs empower web3 protocols to grow, evolve and adapt in a decentralized manner as technology advances, thereby positioning web3 protocols to compete with the closed and centralized systems of web2 (e.g., Facebook, Twitter, etc.). In particular, DAOs can direct funding to ongoing decentralized development work in order to enable their underlying protocols to evolve as technology develops; they can direct funding to third-party developers to build out additional products and services for the protocol’s ecosystem; they can oversee disputes between ecosystem participants; and they can adjust protocol parameters to account for changing user behaviors and market conditions. In essence, DAOs can function as internet-city governments tasked with governing the public infrastructure (open and decentralized protocols) used by its citizens to create businesses, products, and services. This is in stark contrast to more traditional corporate entity forms, which prioritize the pursuit of closed and centralized systems in order to be able to extract value and maximize shareholder returns.

Second, the decentralized governance enabled by DAOs provides for transparent risk mitigation that could surpass the effectiveness of opaque centralized risk controls. For instance, in the case of decentralized lending protocols, the lack of a governance layer would mean that lending collateralization ratios could not be adjusted, leading to greater risks of protocol failures due to bad loans. In addition, mature DAOs tend to be conservative in their risk management because stakeholders share risks and rewards equally. Prior to and during the crypto turmoil in 2022, many DAOs of lending protocols made conservative selections of acceptable collateral and collateralization ratios, helping them weather the volatility unscathed. Meanwhile, disproportionate allocations of risk and reward at centralized financial institutions can lead to executives taking on unreasonable levels of risk in the hopes of receiving outsized rewards while users bear a loss — a pattern of asymmetrical risk taking that has happened time and again in traditional and non-traditional financial industries regardless of the presence of regulation (see: FTX, Celsius, Voyager, 3AC, MF Global, Revco, Fannie Mae, Lehman Brothers, AIG, LTCM, and Bernie Madoff). 

Third, decentralized governance empowers protocol stakeholders to participate in the governance of such system, which can lead to more equitable treatment of stakeholders than what is seen in traditional industries. In particular, in traditional industries the use of traditional entity structures (e.g., c-corps) results in the application of fiduciary duties that demand that shareholder value be maximized. This emphasis on shareholder value is detrimental to the other stakeholders of companies, including employees and customers. DAOs have the potential to buck this trend through the use of non-traditional entity structures that have the potential to deliver on the promise of true stakeholder capitalism (i.e., a system where value accrues more equitably to the system’s stakeholders). 

Finally, value accrual ensures that the governance tokens that enable DAOs to function have value, which protects them and their underlying protocols from attacks by bad actors. For instance, if a protocol could not accrue value, its governance token may not have value, which means a bad actor could potentially acquire a sufficient amount of such tokens to then control governance votes, thereby undermining all of the potential benefits the DAO provides to the protocol.

Given the critical role of DAOs in web3, policymakers and regulators should not discourage protocol developers from including value accrual and decentralized governance mechanisms in their protocols. Instead, policymakers and regulators should utilize safeguards that solve the Web3 DAO dilemma without disincentivizing the use of DAOs.

Solving the Web3 DAO Dilemma

Given the foregoing and the complexity of the Web3 DAO Dilemma, the default regulatory approach to solving the Web3 DAO Dilemma could be to sacrifice protocols and forgo their benefits, such as by applying cumbersome, subjective, and globally conflicting regulations to protocols or their DAOs that cannot possibly be complied with. Such an approach would be unfortunate, as it would significantly undercut the value proposition of web3 for all the reasons set forth in our introduction to this series. As we argue below, it is also unnecessary.

Instead, policymakers and regulators could pair app-based regulations with additional narrowly-tailored safeguards that:

  1. Limit value accrual that may lead to incentive structures that undermine the policy objectives of the app-based regulation; and 
  2. Restrict the semi-autonomous nature of the DAO in order to limit DAO activities that may undermine the policy objectives of the app-based regulation. 

Safeguards following this construct could be designed so as not to jeopardize the fundamental principles of protocols. In addition, if constructed properly, these safeguards would minimize the differences between web3 protocols and web1 protocols (incentive structures and DAO governance, as discussed above) that might justify the application of a new regulatory framework to web3. Such safeguards could not only eliminate incentives that may result in greater illicit activity; they could also create incentives to encourage use of regulated apps, and make web3 app-based regulation even more effective than web1 app-based regulation. Well-constructed safeguards could effectively drive the policy objectives of the underlying app-based regulations without jeopardizing the fundamental principles of protocols.

We can represent the framework for these safeguards as follows:

Returning to the DEX example, a hypothetical web3 app-based regulation that prohibits the trading of tokenized securities and derivatives using web3 apps would, in theory, lead to good actors building compliant apps that did not list these types of assets — so far, so good. But alone, this regulation may not curtail trading of prohibited assets at a sufficient level to achieve the regulation’s policy objectives (protecting investors by limiting the trading of tokenized securities and derivatives on DEXs) if the DEX’s DAO were designed to profit from such illicit trading for all of the reasons discussed above. However, a sufficient curtailment of illicit trading could be achieved if the regulation were paired with additional safeguards. 

In this case, such additional safeguards could require that the DEX’s DAO to: 

  1. Utilize mechanisms reasonably designed to prevent the collection and distribution of fees and/or commissions, directly or indirectly, to the DAO from transactions initiated through non-compliant applications; and 
  2. Forgo activities whose primary purpose is to facilitate or encourage unlawful trading through non-compliant applications (e.g., operating non-compliant apps, funding non-compliant apps or marketing non-compliant apps). 

Together, these safeguards could effectively drive trading activity through compliant apps that restrict trading of tokenized securities and derivatives, thereby achieving the policy objectives of the hypothetical app-based regulation, without jeopardizing the fundamental principles of protocols as applied to the DEX.

Complying with regulatory safeguards

The remainder of the post will demonstrate how protocol developers and DAOs can comply with the foregoing safeguards through the implementation of certain protocol designs and decentralized governance designs that preserve the benefits of value accrual and semi-autonomous designs for web3 protocols without jeopardizing the fundamental principles of protocols.

Step 1: Designing compliant value-accruing protocols

The first step in complying with the hypothetical safeguards would be to eliminate the value a DAO might receive from illicit activity without jeopardizing the fundamental principles of protocols. As we describe in this section, protocols can accomplish this by introducing a new type of app-specific protocol design that can distinguish transactions based on the app initiating them. 

Below we outline a simple example of a web3 tech stack. Users initiate transactions via web3 apps to blockchain and smart contract protocols; the protocols then execute user transactions; with miners or validators updating the state of the blockchain to reflect these transactions. Typically, all apps using a given smart contract protocol (including third-party apps) interact with the same smart contracts, and the affairs of the protocol are typically administered and maintained by a DAO.

In order to limit value accrual from illicit activity to the protocol’s DAO, the protocol would need to be able to distinguish between compliant apps and non-compliant apps, thereby enabling it to forgo value accrual from non-compliant apps. To achieve this, the protocol could use a “factory” smart contract that deploys separate, protocol-controlled gateway smart contracts for each app seeking to interact with the protocol. App developers could permissionlessly trigger the “factory” smart contract in order to deploy a gateway smart contract for their app (and could do so for each jurisdiction in which they wish to provide users with access to the protocol). Each app would then interact with the protocol via its own separate and unique gateway smart contract, with each transaction being authenticated by the app’s private key associated with such smart contract.

The goal of introducing this gateway smart contract construct is to provide a new core functionality: enabling protocols to associate incoming transactions with specific apps. Here’s an example of how this could work, using a hypothetical DEX: 

Using gateway smart contracts, this DEX (and other protocols like it) could pursue a number of designs that incentivize apps to comply with regulations or that insulate the protocol’s DAO from profiting from illicit activity. These designs vary in their potential efficacy, and include:

  • App Blacklist: The protocol could enable its DAO to blacklist (or block) addresses of gateway smart contracts associated with non-compliant apps so that such gateways could no longer interact with the protocol. This would cut off the blacklisted apps’ access to the protocol. However, non-compliant app developers could easily circumvent this approach by deploying new gateway smart contracts to addresses that are not blacklisted; and they would have a compelling reason to do so, as such action would grant them access to the protocol while circumventing the blacklist. As a result, an App Blacklist is not a viable solution for protocol developers, as it would likely lead to an endless game of “whack-a-mole.” In addition, this approach enables the DAOs to attempt to censor apps (by blacklisting them) in violation of the fundamental principles of protocols.
  • App Whitelist: Alternatively, the protocol could require that gateway smart contracts be whitelisted by the DAO before they are permitted to interact with the protocol. Although this approach is difficult to circumvent and allows the DAO to ensure that only compliant apps integrate with its protocol, it creates two significant problems: (1) it makes the protocol permissioned — as apps must obtain the DAO’s permission before they are able to use the protocol — which violates the fundamental principles of protocols and introduces a vulnerability that could be exploited by bad actors (who could, for instance, block apps that compete with their own); and (2) it places an unworkable monitoring requirement on the DAO, which would not be able to assess the regulatory status of every app without undermining the DAO’s own decentralization. Further, these burdens would go well beyond what is required of web1 protocols — no independent body monitors email to ensure it is not being used for illicit purposes. As a result, app whitelists are likely untenable for protocol developers and detrimental to decentralized protocols.
  • Selective Value Accrual (SVA): In order to preserve its permissionless nature, the protocol could be designed such that the fees accruing to its DAO would only be collected from transactions initiated through compliant apps. There are two flaws in this mechanism: (1) it would make transacting through non-compliant apps cheaper than transacting through compliant apps, thereby incentivizing users to use non-compliant apps instead of compliant apps; and (2) it places a significant burden on the DAO to determine which apps are compliant. As a result, while this approach improves on the previous mechanisms, it may be counterproductive to policy objectives by inadvertently driving transaction volume to non-compliant apps.
  • Default Value Accrual (DVA): Protocol developers can solve for the censorship risk of the blacklist/whitelist approaches and the counter-productivity of the SVA mechanism by implementing a hybrid approach, where the fees accruing to the protocol’s DAO would be collected on every transaction and directed to two different pools: a default pool and a blacklist pool. All such fees would, by default, go to the default pool.1 But in the event the DAO received a notice from a government agency or self-regulatory organization (SRO) that an app was not compliant with applicable laws and regulations, the fees accruing to the DAO from the non-compliant app would be directed to the blacklist pool. Here’s an example of how the DVA arrangement could appear for the hypothetical DEX discussed herein: 

Of these potential solutions, the DVA model provides the only workable framework for maintaining the censorship resistant and permissionless nature of web3 protocols while both (i) disincentivizing illicit activity initiated by non-compliant apps and (ii) eliminating the DAO’s potential to profit from such illicit activity.2 As discussed above, web3 protocols should not be required to adopt more restrictive mechanisms (like the App Blacklist and App Whitelist approaches) that would sacrifice the fundamental principles of such protocols. Further, requiring such mechanisms would be well beyond the requirements that are currently applicable to web1 protocols. Just as email protocols are not required to prohibit people conspiring to commit a crime, DEX protocols and their DAOs should not be required to prohibit the unlawful trading of digital assets. 

The DVA mechanism also has the potential to significantly reduce the regulatory compliance burden of DAOs as compared to existing approaches, thereby facilitating greater decentralization. By providing a tool to differentiate between compliant and non-compliant apps, protocols can alleviate the need for DAOs to assess whether individual transactions are compliant. For example, in order for the DAO of a DEX that does not use the DVA mechanism to collect transaction fees from trading, it must assess whether collecting these fees is legally permissible for each liquidity pool and in every jurisdiction where the pool’s transactions originate — this is an unworkable process. Using the DVA design, however, a DEX could divert trading fees collected from non-compliant apps whenever the DAO receives notice of non-compliance from a local government to the DEX’s blacklist pool, without ever having to assess whether individual transactions and liquidity pools are themselves compliant. 

One final layer of protection that protocol developers can add to the DVA mechanism is to make any distribution mechanism for DAOs voluntary rather than involuntary. Voluntary distribution mechanisms would include paying DAO members in exchange for their participation in protocol safety-modules, governance votes, liquidity pools, and more. Involuntary distribution mechanisms would include governance token buyback-and-burn programs. Voluntary mechanisms are preferable to involuntary mechanisms as they ultimately give DAO members the choice of benefiting from any value accrual of the protocol and the DAO, thereby empowering them to assess the regulatory implications prior to collecting any such benefits.

The foregoing mechanisms can be expanded to all types of protocols and regulations, with the key premise being that protocol developers should carefully analyze the regulatory implications of activity their protocols enable, and seek to protect stakeholders (i.e., DAOs) from profiting from illicit uses of such protocols. However, it is important to note that the foregoing value accrual mechanisms should be limited to the value that accrues to a protocol’s DAO, and not be extended to the value that accrues to a protocol’s users (such as liquidity providers). The reason for this is that empowering a protocol’s DAO to turn-off value accrual to protocol users would enable the DAO to effectively censor certain types of user-activity (without fee accrual such activity would cease). While that may sound desirable to some, it would violate the fundamental principles of protocols and subject the protocol to misuse by bad actors, who could seek to take control of the DAO and censor activity for their own benefit. Further, any attempts to censor or permission the protocol via this route could lead to the protocol being forked without any tools for compliance.

Step 2: Designing compliant decentralized governance

The second step in complying with the hypothetical safeguards is to reduce or eliminate any actions that a protocol’s DAO may take with the primary purpose of encouraging illicit activity through the protocol via non-compliant applications. While implementing the protocol design we described above can eliminate any incentives for the DAO to engage in illicit activity, adopting the following decentralized governance designs can further reduce risks arising from the semi-autonomous nature of web3 protocols that make them susceptible to misuse. 

The potential for misuse is likely to be a key focus of regulators. For instance, in CFTC vs. Ooki DAO, the Commodities Futures Trading Commission (CFTC) raised significant (and legitimate) concerns about bad actors effectively operating the Ooki protocol and its DAO as a founder-controlled business while attempting to use the appearance of decentralization and as a shield from regulatory scrutiny. Ultimately, the use of decentralized governance and DAOs are not shields protecting illicit activity from penalty. Regulators have and will continue to target those that disregard applicable laws.

As a result, it is critical that the design of decentralized governance mechanisms and DAOs be undertaken with regulatory compliance in mind. Policymakers and regulators should also provide the web3 industry with guidance regarding how DAOs can drive greater regulatory compliance. What follows is a number of recommendations within the bounds of the “Regulate Web3 Apps, Not Protocols” framework and its safeguards that could help to establish a foundation for such compliance.

Governance minimization

In order to reduce the risk of non-compliance, protocol developers should make their protocols as autonomous as possible by pursuing and implementing governance minimization. In particular, protocol developers should seek to reduce all governance to unavoidable decisions that fall within the following three categories: 

  1. Complex Parameter Setting: Includes the setting of fees and commissions, permissible collateral types, collateralization ratios, etc
  2. Treasury Management: ​​Includes a range of activities such as advocacy, treasury diversification, and grant programs
  3. Protocol Maintenance and Upgrades: Includes a range of activities such as changing oracles, and deploying upgraded smart contracts

The number and scope of decisions within any of these categories for a particular DAO will heavily depend on the type of protocol it administers. It’s likely safe to assume that, as web3 protocols grow increasingly more complex, the number and scope of decisions will similarly increase. However, to the extent possible, protocol developers should seek to reduce such decision making, as doing so ultimately reduces the potential for misuse in addition to providing other benefits associated with governance minimization, such as protecting the protocol’s credible neutrality. 

In addition, protocol developers need to carefully assess the powers they retain or grant to DAOs. In its complaint in CFTC vs. Ooki DAO, the CFTC referenced Ooki DAO’s ability to “adjust how the smart contracts operated; pause or suspend trading; pause or suspend contributions or withdrawals of asset and redemptions of tokens to close positions; and otherwise direct dispositions of the funds held in the [Ooki] Protocol smart contracts” as evidence that the Ooki DAO should be liable for the non-compliance of the protocol. As a result, protocol developers need to balance the regulatory risks associated with providing similar powers to DAOs with the risks to consumers if such powers are not retained. As in many areas of web3, regulation targeting these governance characteristics could have significant unintended consequences that may cause consumers even greater harm. Regulations should provide clarity on this subject to support policy objectives and help protocol developers address such concerns. 

Treasury management

DAOs need to be particularly careful with respect to their treasury management activities; they should avoid funding projects or activities that would be likely to result in increased illicit use (or at a minimum, result in increased proceeds from illicit use) of their protocols via non-compliant apps. For instance, DAOs should consider refraining from:

  • Funding the creation and deployment of non-compliant apps
  • Funding marketing efforts for non-compliant apps 
  • Directing users to non-compliant applications
  • Soliciting users to engage in illicit activity

While it is impossible to incorporate subjective restrictions on DAO activities into a protocol’s design, protocol developers can take certain steps to help DAOs maintain compliance. First, adopting the DVA protocol design would incentivize DAOs to encourage activity via compliant apps rather than non-compliant apps. Second, protocol developers could launch DAOs with associated legal entities that are sufficiently funded to engage independent legal counsel to advise on DAO activities (as discussed further below). Third, protocol developers should give DAOs rights to any trademarks and web domains associated with their underlying protocols, enabling DAOs to prohibit the use of rights and domains by non-compliant apps. This way, DAOs can actively disassociate themselves from non-compliant apps and not encourage the use of such apps.

DAO legal entity structure

DAOs that seek to operate without a legal entity structure expose themselves to significant risk that governments will select an entity structure for them and define their membership extremely broadly. As evidenced by recent enforcement proceedings, these entity forms may not afford DAO members limited liability or provide shelter from negative tax treatment. This creates a tremendous amount of uncertainty for DAO members, and likely disincentivizes active participation in decentralized governance, thereby threatening the viability of DAOs and their protocols. 

As a result, DAOs should continue to pursue the use of legal entity structures (see here and here). Protocol developers can assist in this effort upon launching a DAO by either using a legal entity structure that “wraps” all of the DAO members (i.e., all activity of the DAO members is conducted through a legal entity) or by siloing specific activity of the DAO in its own legal entity structure (i.e., the treasury management of a DAO may be conducted by a legal entity that operates as an ecosystem fund, deploying the DAO’s resources to further develop and improve the protocol’s ecosystem).

The use of such legal entities is not a license to engage in unlawful activity, but can help limit the exposure of the DAO’s individual members to risks, thereby removing disincentives regarding participation in DAOs and safeguarding the role of decentralized governance in web3.


The unique characteristics of web3 technology gives rise to a dilemma that is not easily solved without jeopardizing the fundamental principles of protocols that give them utility. Specifically, the mechanisms for value accrual and semi-autonomous decision making and activity for web3 protocols differentiates them from web1 protocols and exposes app-based regulatory regimes to potential exploits that may undermine the policy objectives of such regimes. 

However, to be effective, regulation of new technologies does not need to eliminate the possibility of illicit uses; it only needs to be calibrated properly so that the public benefits of such technology are likely to significantly exceed its costs, including those costs arising from its illicit uses. Policymakers and regulators can achieve this threshold by augmenting app-based regulatory regimes with narrowly-tailored safeguards targeting DAO incentives and activities. These safeguards can eliminate incentives that may otherwise drive greater amounts of the illicit activity a given regulatory regime is intended to limit. And, fortunately, web3 technology offers tools to comply with such safeguards without jeopardizing the fundamental principles of protocols. As a result, the “Regulate Web3 Apps, Not Protocols” framework offers policymakers and regulators an avenue to protect the future of the Internet, while reducing the risks of illicit activity and consumer harm.

1 Absent regulation directly addressing the subject, it is unclear what options a protocol might have with respect to the funds accruing to the blacklist pool and what the tax implications of such accrual might be. However, in waiting for any such regulation to be passed, protocols could opt for blacklist pool smart contracts to automatically direct funds to a self-regulatory organization tasked with identifying non-compliant apps in designated countries (thereby funding such SROs) or to web3 advocacy organizations. 

2 While the use of a blacklist mechanism by the DVA leaves the protocol somewhat exposed to the risk that non-compliant apps could circumvent the blacklist by simply deploying new non-blacklisted gateway smart contracts, they would not be as incentivized to do so as they would if the protocol was solely using the blacklist mechanism described above. This is because in the DVA scenario, use of the blacklist does not negatively impact the non-compliant app, whereas in the blacklist-only scenario, the blacklisted non-compliant app loses access to the protocol. Regardless, one potential alteration to the DVA mechanism that could further minimize the risk of illicit proceeds accruing to DAOs would be to have an audit function whereby the default pool would be audited to determine whether any funds accrued to the pool from non-compliant apps. Any funds from non-compliant apps could then be removed from the default pool and sent to the blacklist pool prior to distribution of funds from the default pool to the DAO.

The views expressed here are those of the individual AH Capital Management, L.L.C. (“a16z”) personnel quoted and are not the views of a16z or its affiliates. Certain information contained in here has been obtained from third-party sources, including from portfolio companies of funds managed by a16z. While taken from sources believed to be reliable, a16z has not independently verified such information and makes no representations about the current or enduring accuracy of the information or its appropriateness for a given situation. In addition, this content may include third-party advertisements; a16z has not reviewed such advertisements and does not endorse any advertising content contained therein.

This content is provided for informational purposes only, and should not be relied upon as legal, business, investment, or tax advice. You should consult your own advisers as to those matters. References to any securities or digital assets are for illustrative purposes only, and do not constitute an investment recommendation or offer to provide investment advisory services. Furthermore, this content is not directed at nor intended for use by any investors or prospective investors, and may not under any circumstances be relied upon when making a decision to invest in any fund managed by a16z. (An offering to invest in an a16z fund will be made only by the private placement memorandum, subscription agreement, and other relevant documentation of any such fund and should be read in their entirety.) Any investments or portfolio companies mentioned, referred to, or described are not representative of all investments in vehicles managed by a16z, and there can be no assurance that the investments will be profitable or that other investments made in the future will have similar characteristics or results. A list of investments made by funds managed by Andreessen Horowitz (excluding investments for which the issuer has not provided permission for a16z to disclose publicly as well as unannounced investments in publicly traded digital assets) is available at

Charts and graphs provided within are for informational purposes solely and should not be relied upon when making any investment decision. Past performance is not indicative of future results. The content speaks only as of the date indicated. Any projections, estimates, forecasts, targets, prospects, and/or opinions expressed in these materials are subject to change without notice and may differ or be contrary to opinions expressed by others. Please see for additional important information.