5.3 Real-world examples: MKR (MakerDAO), COMP (Compound), AAVE
Why Compound grew TVL from $100 million to $650 million through a single distribution decision, how MakerDAO's governance covered a $5 million crisis through token dilution, and what Aave's Guardian multisig reveals about the trade-off between decentralization and emergency response.
Sections 5.1 and 5.2 covered governance token fundamentals and voting mechanics. This section shows what those concepts look like when billions of dollars are at stake.
Three protocols demonstrate how governance tokens work at scale: MakerDAO with $8 billion in assets, Compound with $3 billion in lending markets, and Aave with $10+ billion in deposits. Each took different approaches to the same problem: how do you let thousands of pseudonymous token holders make technical decisions about systems managing billions of dollars?
Their successes and failures define what works in crypto governance. The patterns that emerged from these protocols now shape how new projects design their governance systems.
MakerDAO: Governance Through Crisis
MakerDAO created DAI, the decentralized stablecoin backed by crypto collateral. Someone needs to decide which assets back DAI, what interest rates borrowers pay, and how the system responds when collateral crashes in value. MKR holders make these decisions.
The stakes are existential. Bad collateral choices could break the peg. Wrong interest rates could drain the treasury or kill adoption. Slow crisis response could trigger cascading liquidations. MKR holders can't afford to get governance wrong.
How MKR Governance Actually Works
MKR uses continuous approval voting, a system unique among major protocols 1. In most DAOs, proposals have a fixed end date and a yes/no outcome. In Maker, your proposal wins only when it has more MKR support than the current leading proposal (the "hat"), whenever that happens.
Here's how it plays out in practice. The current executive has 75,000 MKR voting for it. You submit a new proposal to change the DAI Savings Rate from 5% to 6%. Token holders review your proposal and vote. If your proposal attracts 80,000 MKR, it becomes the new hat and executes after a 24-48 hour delay. The old proposal's 75,000 MKR doesn't automatically transfer to your proposal. Voters must actively move their MKR to support new executives.
This system means governance never stops. There's no "proposal passed, governance is done for the week." Competing proposals can appear anytime. Better ideas can replace current executives before they execute. The community constantly evaluates which proposal best serves the protocol.
The 24-48 hour execution delay exists for emergency response. The Governance Security Module (GSM) allows large MKR holders to trigger an emergency pause if a malicious proposal passes 2. This gives the community time to coordinate defense before harmful changes take effect.
MakerDAO also uses polling votes for temperature checks and signal gathering. These polls run for fixed periods (typically 1 week) and guide executive proposal creation. "Should we add wBTC as collateral?" gets polled first. If the poll passes, core units draft the technical executive proposal.
Black Thursday Stress Test
March 12, 2020, tested whether MKR governance could function under extreme pressure. COVID fears crashed crypto markets. ETH dropped 30% in hours. The collateral backing millions in DAI suddenly became insufficient.
MakerDAO's automated liquidation system should have sold collateral to cover bad debt. But Ethereum gas prices spiked to 200+ gwei as everyone rushed to trade simultaneously 3. Liquidation auctions couldn't compete. Some auctions completed with zero bids, letting liquidators claim $8 million in ETH collateral for free 4. The system accumulated $4-6 million in bad debt. DAI's peg broke, spiking to $1.05 as holders panicked 5.
Net result: a single day of chaos produced a roughly $5 million hole that had to be socialized to MKR holders.
MKR governance responded within 48 hours:
- Emergency Stability Fee Changes: Voted to increase stability fees (interest rates) on certain vault types to slow new DAI creation while the system stabilized.
- Debt Auction Authorization: Approved minting and auctioning new MKR to cover the bad debt. This diluted existing MKR holders but recapitalized the system 6.
- Collateral Parameter Updates: Adjusted debt ceilings and liquidation ratios across multiple collateral types to reduce risk exposure.
The debt auctions minted 20,580 new MKR, raising roughly $5.3 million to cover the shortfall 7. MKR holders voted to dilute themselves rather than let the system fail. This aligned incentives perfectly: the loss hurt MKR holders most, so they fixed it fastest.
But the crisis exposed governance gaps. Some decisions happened too slowly. Others required technical expertise most MKR holders lacked. The emergency showed that pure token-weighted democracy couldn't respond fast enough to existential threats.
The Core Unit Model: Professionalizing Governance
Post-crisis, MakerDAO restructured around Core Units, specialized teams with defined mandates and budgets approved by MKR governance 8.
Risk, Engineering, Growth, and Oracles are four examples. In practice there are many more specialized teams, each handling specific functions like risk analysis, smart contract development, business partnerships, or price feed infrastructure. Each Core Unit submits quarterly budget proposals. MKR holders vote on funding but don't micromanage operations.
This hybrid model solved the expertise problem. Token holders make high-level strategic decisions: which collateral types to support, how much risk to accept, how to allocate resources. Specialized teams handle technical implementation and ongoing operations.
The Core Unit structure isn't perfect. Coordination between units can fail. Some units have exceeded budgets or underdelivered. Accountability remains challenging when teams are pseudonymous and globally distributed. But the model works better than expecting retail MKR holders to vote on oracle implementation details.
Why this matters: MakerDAO proved that governance can evolve structurally without sacrificing token holder control. When pure direct democracy failed during crisis, the community built professional operational layers while keeping strategic authority on-chain.
The Maker Constitution and Endgame Plan
In 2022-2023, MakerDAO founder Rune Christensen proposed "Endgame," a major governance restructure 9. The plan includes:
SubDAOs: Specialized sub-organizations managing specific functions, similar to Core Units but with more autonomy and their own token economies. Each SubDAO operates independently while remaining accountable to MKR holders.
Maker Constitution: A formal document codifying governance processes, decision-making authority, and organizational principles. This constitution gets approved by MKR vote and establishes the rules that SubDAOs must follow.
Three-Phase Implementation: Gradual transition from the current Core Unit model to fully autonomous SubDAOs over several years.
The proposal sparked intense debate. Some MKR holders supported the clarity and structure. Others worried about increased complexity and reduced agility. Votes passed incrementally, with governance approving elements of Endgame while rejecting or modifying others.
This showcases governance evolution. MakerDAO isn't static. The community experiments with organizational structures, keeps what works, and discards what doesn't. The protocol that worked in 2020 needed different governance by 2023 as TVL grew, use cases expanded, and the regulatory environment changed.
Compound: The Governor Standard
Compound pioneered decentralized money markets, letting users lend and borrow crypto without intermediaries. COMP holders govern which assets can be borrowed, what interest rate models apply, and how protocol reserves get allocated.
Where MakerDAO built custom governance systems through trial and error, Compound created a standardized framework that dozens of other protocols copied. Governor Bravo, Compound's governance contract, became the template for DeFi governance 10.
The COMP Distribution Gambit
Compound launched in 2018 without a token. The founding team and investors controlled the protocol through administrative keys. Users had to trust that Compound Labs wouldn't abuse this control.
In June 2020, Compound distributed COMP tokens to users and liquidity providers 11. Lend USDC, earn COMP. Borrow DAI, earn COMP. The token distribution created instant incentives to use the protocol.
TVL exploded from $100 million to $650 million within weeks 12. Compound became the second-largest DeFi protocol by TVL. The COMP distribution started "yield farming," where users chase token rewards across protocols. This pattern spread industry-wide.
But the distribution also created mercenary capital. Users deposited funds purely to farm COMP, not because they wanted to use Compound. When rewards dried up, they left. The protocol had attracted liquidity, not loyalty. That experience forced the community to treat emissions as a precise instrument, not free marketing.
COMP governance controls this distribution. Token holders vote on emission rates, which pools receive rewards, and when to end farming programs. They've gradually reduced emissions as the protocol matured, transitioning from growth-focused farming to sustainable operation.
Proposal 62: The $80 Million Bug
September 2021 tested Compound's governance under pressure, similar to MakerDAO's 2020 crisis.
A code upgrade introduced a critical bug in COMP distribution. The error allowed users to claim far more COMP rewards than intended 13. The bug could drain $80+ million in COMP from the protocol's reserves.
The fix required governance approval. But governance normally takes 7 days: 3 days voting, 2 days timelock, 2 days buffer. The bug was active. Attackers could drain funds while governance processed.
COMP holders mobilized. Major delegates reached out to dormant wallets. Exchanges coordinated with large holders. Andreessen Horowitz, which held 7% of supply, voted immediately 14. Within 36 hours, Proposal 62 hit the 400,000 COMP quorum threshold.
The fix went live before attackers could execute a major drain. Some COMP was lost (estimated $60-80 million in overpayments), but catastrophic loss was prevented 13.
This response demonstrated two things. First, Compound's governance could move quickly when necessary. Second, it required extraordinary coordination to do so. Normally, hitting quorum in 36 hours would be impossible. The community rallied specifically because the threat was obvious and immediate.
The incident led to governance changes. Compound added emergency response procedures. Core contributors got limited emergency powers to pause certain functions without full governance votes. These powers have tight constraints and sunset clauses, but they exist for situations where 72 hours matters.
The Governor Bravo Framework
| Stage | MakerDAO (standard) | Compound (standard) | Compound (emergency) | Aave (standard) | Aave (Guardian) |
|---|---|---|---|---|---|
| Proposal submission | Anytime (continuous) | Day 0 | Day 0 | Day 0 | N/A |
| Voting period | Until proposal exceeds current "hat" | Days 1–3 | Days 1–1.5 | Days 1–3 | N/A |
| Execution delay (timelock) | 24–48 hours after passing | Days 3–5 | Days 1.5–2 | Days 3–5 | N/A |
| Emergency override | GSM pause by large MKR holders | Added post-Proposal 62 (limited pause) | Mobilized in ~36 hours | — | Pauses within hours |
| Total time to execution | 2–7+ days | ~7 days | ~3 days | ~5–7 days | Hours |
Think of Governor Bravo as a generic "DAO operating system" that many protocols run instead of writing their own from scratch. The framework defines:
Proposal Structure: Every proposal includes executable code, not just descriptions. "Increase collateral factor" translates to specific function calls with exact parameters.
Voting Checkpoints: Token balances get snapshotted at proposal creation. This prevents "flash governance" where someone borrows tokens, votes, and returns them.
Timelock Protection: Passed proposals wait 2 days before execution. This gives users exit windows if they disagree with outcomes.
Threshold Requirements: Proposals need minimum voting power to submit (25,000 COMP) and minimum quorum to pass (400,000 COMP).
Delegation System: Token holders can delegate voting power to other addresses without transferring tokens. This enables professional delegates.
The standardization matters because developers can audit once and trust broadly. If 20 protocols all use Governor Bravo, security researchers can focus on that single codebase. Vulnerabilities found in one implementation get fixed across all implementations.
Governor also enables governance-as-code. External tools like Tally and Snapshot integrate seamlessly because they know the interface. Wallets add governance support once and it works across all Governor-based protocols.
COMP's Value Capture Debate
Unlike MKR, where governance already routes value via buyback-and-burn, COMP holders have deliberately left this lever unused. Holding COMP gives you governance rights but no claim on protocol revenue.
Compound generates revenue through reserve factors. When borrowers pay interest, a small percentage goes to protocol reserves rather than lenders. These reserves have grown to hundreds of millions of dollars 15.
COMP governance could vote to:
- Distribute reserves to COMP holders as dividends
- Use reserves to buy and burn COMP
- Keep reserves for protocol development and grants
- Allocate reserves to insurance funds protecting against bad debt
The community hasn't reached consensus. Some holders push for direct value capture. Others argue that keeping reserves strengthens the protocol, which indirectly benefits COMP by making the protocol more valuable and sustainable.
This tension exists across many governance tokens. Does governance value come from direct revenue share, or from control over protocol direction? COMP holders get enormous influence over a $3 billion lending market but no automatic financial return beyond token price appreciation.
The decision remains unresolved. COMP governance continues accumulating reserves while debating optimal allocation. This is governance working as designed: the community weighs trade-offs and makes decisions when consensus emerges, not according to arbitrary deadlines.
Why this matters: Compound proved governance standards work better than custom implementations. Governor Bravo became infrastructure that reduced security risk and increased interoperability across dozens of protocols.
Aave: The Multi-Chain Governance Challenge
Aave operates across 9+ blockchains including Ethereum, Polygon, Arbitrum, Optimism, and Avalanche 16. AAVE holders on Ethereum mainnet govern deployments across all these chains. This creates unique coordination challenges.
The Guardian System: Balancing Speed and Decentralization
Aave governance operates through two layers: the AAVE token holder vote and the Guardian multisig 17.
Standard governance follows the familiar path. Someone proposes adding a new asset or changing parameters. AAVE holders vote. If approved, the change queues in the timelock. After delay, anyone can execute.
But the Guardian can pause markets immediately without governance votes. In practice this is a 5-of-9 multisig held by trusted community and team members who can pause but not arbitrarily reconfigure the protocol 18.
July 2023 demonstrated why this matters. Curve Finance suffered a major exploit affecting their CRV token 19. Aave had significant exposure to CRV through lending markets. If the exploit crashed CRV prices while attackers borrowed heavily against CRV collateral, Aave could accumulate bad debt.
The Guardian paused CRV borrowing within hours, before market panic cascaded 20. Normal governance would have taken 3-5 days minimum. By then, damage would have been done. The Guardian's fast action prevented estimated $50+ million in potential bad debt.
Critics argue this centralizes control. The Guardian can unilaterally freeze markets, which contradicts decentralization principles. Supporters counter that protocols managing $10+ billion need emergency response capabilities that pure token holder governance can't provide.
The compromise: Guardian powers are limited (pause only, not parameter changes), time-constrained (pauses expire after a set period), and accountable (AAVE holders can replace Guardian members). This balances security needs with decentralization values.
Cross-Chain Governance Execution
Aave on Polygon is governed by AAVE holders on Ethereum. When a proposal passes on Ethereum, how does it execute on Polygon?
Aave uses multiple independent bridges and requires agreement between them, plus Guardian veto and extra delays, to reduce the risk that a single compromised bridge can push fake governance messages 21.
The technical complexity increases governance friction. Proposals affecting multiple chains require coordinating changes across different deployment environments with different security models. Yet Aave handles this at scale, proving multi-chain governance can work despite the challenges.
The stkAAVE Safety Module
Aave implemented a clever alignment mechanism called the Safety Module 22. AAVE holders can stake their tokens in the module, earning additional AAVE rewards. In exchange, their staked tokens become the first line of defense if the protocol suffers bad debt.
If Aave accumulates a shortfall from liquidation failures, the protocol auctions staked AAVE to cover the loss, up to 30% of the Safety Module. Stakers earn higher yields but accept slashing risk.
This creates skin in the game. Governance voters who stake their AAVE have direct financial exposure to governance decisions. Vote for risky collateral that causes bad debt? Your staked AAVE gets slashed. Vote for conservative risk parameters? Your stake stays safe but the protocol grows slower.
Roughly $400-500 million in AAVE has been staked in the Safety Module as of late 2024 23. This represents substantial funds that would be slashed in a major protocol failure. The mechanism aligns governance incentives with protocol safety better than pure token holding.
The V3 Upgrade: Governance Approving Complexity
Aave V3 launched in March 2022 after months of governance debate 24. The upgrade added:
Efficiency Mode (E-Mode): Allows higher leverage for correlated assets. Borrowing USDC against USDT collateral can reach 97% LTV instead of the normal 80%, since both are stablecoins with similar risk profiles.
Isolation Mode: Lets Aave list riskier assets without exposing the entire protocol. New tokens can be borrowable only against specific collateral types, limiting contagion if they fail.
Portal: Cross-chain asset bridging integrated into the protocol, allowing users to move collateral between Aave deployments on different chains.
These features involved thousands of lines of new smart contract code. AAVE holders couldn't audit this code themselves. They relied on external security firms (Trail of Bits, OpenZeppelin, Certora) to audit and verify 25.
The governance vote essentially asked: "Do you trust the auditors and core developers?" Most token holders lacked the technical knowledge to independently verify the upgrade was safe and worked as intended. This is the norm in DeFi governance—token holders vote on what auditors and core teams have vetted, not on code they fully understand themselves.
AAVE governance approved V3 based on:
- Multiple independent security audits
- Extensive testnet deployment and testing
- Community review period where technical members examined the code
- Progressive rollout starting on less-critical chains before Ethereum mainnet
Why this matters: Multi-chain governance works, but it requires trade-offs. Aave proves you can govern billions across 9+ blockchains, but only by accepting Guardian powers and expert review layers.
Comparing Governance Approaches
| Dimension | MakerDAO | Compound | Aave |
|---|---|---|---|
| Voting mechanism | MKR token voting with on-chain executive and governance polls; delegates increasingly important for day-to-day decisions | COMP token voting where holders and delegates propose and vote on protocol upgrades | AAVE token voting via Aave DAO, with proposals discussed on the forum then executed on-chain |
| Emergency system | Formal Emergency Shutdown Module (ESM) that can be triggered by MKR voters to halt and wind down the protocol in severe crises | No hard “shutdown” module; risk managed via conservative collateral listings, parameter changes, and pausing specific markets when needed | Safety and risk-focused design with the Safety Module and planned Umbrella module upgrades to manage systemic events across markets |
| Value capture mechanism | MKR is burned using protocol surplus, tying token value to DAI stability fees and other revenues; risk of dilution if capital is needed | COMP primarily captures value via governance rights and speculation rather than direct fee sharing or buybacks | AAVE staked in the Safety Module earns protocol fees and incentives while backstopping losses, creating a direct link between usage and token rewards |
| Chain coverage | Originates on Ethereum mainnet; DAI circulates widely across L2s and other chains through bridges and integrated deployments | Focused on Ethereum and a smaller set of supported networks, favoring simplicity over aggressive multichain expansion | Broad multichain footprint with Aave v3 and planned v4 hubs and spokes across major L1s and L2s |
| TVL (qualitative) | Among the largest DeFi protocols by total value locked, anchored by DAI collateral and RWA integrations | Mid-to-upper tier TVL, reflecting a more focused market set and conservative asset support | Consistently one of the top lending protocols by TVL across multiple chains |
| Governance philosophy | Emphasizes resilience and risk management, with formal processes and the ability to trigger emergency shutdown as a last resort | Leans toward minimalistic, parameter-focused governance that prioritizes security and protocol stability over rapid experimentation | More expansive and iterative, using governance to coordinate feature-rich upgrades and manage complex multichain risk infrastructure |
These three protocols reveal different governance philosophies:
MakerDAO optimized for adaptability. Continuous approval voting, Core Units, and the Endgame restructuring all serve the same goal: letting governance evolve as the protocol's needs change. This created the most complex governance system but also the most responsive to changing conditions.
Compound optimized for standardization. Governor Bravo established patterns that dozens of protocols copied. This reduced innovation in governance mechanisms but increased interoperability and security through shared infrastructure. Compound bet that a good-enough standard used widely beats a perfect system used nowhere else.
Aave optimized for security at scale. Guardian powers, Safety Module slashing, multi-chain governance, and conservative risk parameters all prioritize protecting $10+ billion in user deposits. Aave accepts centralization concerns to maintain fast emergency response and multi-layer security.
None of these approaches is objectively best. Each fits its protocol's specific requirements. A $8 billion stablecoin (MakerDAO) needs different governance than a lending market (Compound) than a multi-chain DeFi hub (Aave).
Common Patterns in Real Governance��
Despite different implementations, successful governance tokens share traits:
Professional Delegation: All three protocols have professional delegates who participate full-time. Retail holders delegate voting power to these informed participants. Pure direct democracy doesn't work at scale.
Emergency Powers: All three implemented ways to respond faster than normal governance allows. MakerDAO's GSM, Compound's emergency pause additions, and Aave's Guardian prove that pure decentralization is less important than avoiding catastrophic failure.
Graduated Complexity: Simple decisions (adjust interest rates) need lower quorum and less scrutiny than complex decisions (upgrade core contracts). Tiered voting thresholds reflect this reality.
Transparency and Tooling: Public votes, open forums, analytics dashboards, and delegate platforms create accountability. Governance works better when participants know they're being watched.
Iteration: None of these protocols launched with their current governance systems. They started simple, encountered problems, and adapted. Governance itself gets governed, changing over time based on what works.
What Governance Tokens Actually Achieved
These three protocols managed $20+ billion in combined TVL at peak through decentralized governance. Thousands of global participants, most pseudonymous, coordinated to make technical decisions about complex financial systems. These protocols still used off-chain entities (foundations, labs companies), but day-to-day parameter control shifted on-chain to token holders.
This is remarkable. Traditional finance requires boards, executives, regulators, and legal structures to manage equivalent amounts. DeFi did it with smart contracts and token-weighted voting.
But governance tokens didn't eliminate trust. They redistributed it from corporate entities to large token holders, professional delegates, and core development teams. The pseudonymous participants are still identifiable by wallet address. Reputation and track record matter. Coordination happens off-chain in forums and Discord before crystallizing in on-chain votes.
The experiment proved that decentralized governance can work at scale for protocols managing billions. It also showed the limitations. Pure direct democracy fails. Plutocracy emerges naturally from token-weighted systems. Technical complexity requires expert delegation. Emergency situations need fast response mechanisms that bypass normal voting.
Setting Up Governance Models
These three protocols demonstrated that governance tokens can coordinate real decision-making at significant scale. But they also showed that successful governance requires more than just distributing tokens and enabling votes.
Section 5.4 takes the messy stories from Maker, Compound, and Aave and turns them into template governance models new protocols can copy, modify, or explicitly reject. We'll explore how protocols structure decision-making, allocate authority between token holders and core teams, implement emergency response systems, and balance decentralization with operational effectiveness.
- MakerDAO's MKR holders voted for their own dilution in 2020, minting 20,580 tokens to fill a $5.3 million hole. Aligned incentives drive fast governance.
- COMP distribution grew Compound's TVL from $100 million to $650 million in weeks. It also proved that yield farming attracts liquidity without loyalty.
- Compound's Governor Bravo became governance infrastructure for 50+ protocols. Auditing one codebase covers all of them, making shared standards safer than custom-built alternatives.
- Aave's Guardian paused CRV borrowing within hours of Curve's 2023 exploit, blocking an estimated $50 million in bad debt before governance could even convene.
- Aave's Safety Module holds roughly $450 million that can be slashed to cover bad debt. Governance voters who stake pay for the risks they approve.