[Temp Check] Rate limiting the Endowment to safely secure it

TLDR:

Make a technical lock on the Endowment preventing more than 5% of its current capital to be withdrawn each year. This increases the security of the protocol and safeguards it from hacker attacks or institutional capture and limits the damage that can be done by mismanagement.

Summary

This temp check proposes three linked changes to how the ENS DAO holds and spends its treasury:

  1. A hardcoded annual spending cap on the Endowment. No more than a fixed amount may leave the Endowment per year — proposed at 5% of the current endowment, adjusted upwards 5% per year. These limits would be timelocked so while the DAO could remove the caps, doing so would require a months long cooldown.

  2. Consolidating all currently DAO-held ETH and liquid ENS tokens into the Endowment Safe, behind the same audited permission perimeter that already governs the rest of the Endowment, under a role that does not permit them to be sold or withdrawn (except for any required for currently approved budget).

  3. Plan for a more risk averse 2027 Endowment mandate that targets a conservative 5% yearly to reach a self sustainable level.

The goal is to solve two problems with one mechanism: drastically shrink the treasury’s attack surface, and give the DAO a disciplined, predictable fiscal policy. Crucially, the design is intent-free — it bounds how much value can leave per year regardless of who is trying to move it or why, which is exactly the property our current defenses lack. This proposal is intentionally focused on treasury security rather than governance reform. It should be understood as one constitutional safeguard within a broader governance architecture not as complete solution to governance capture. It is meant to protect the treasury from either malevolent attacks or just plain bad fund management.

This is deliberately a simple, boring mechanism. The simplicity is the security.


Background: the problem

The DAO’s assets sit in three places today:

  • The Endowment: ETH, stablecoins and liquid-staking positions, actively managed by karpatkey through a Zodiac Roles perimeter on a DAO-owned Safe.

  • The DAO timelock and registrar controllers: the operating float in ETH and stables.

  • 55M ENS tokens — the DAO’s own governance tokens, with 9.8M currently held in the wallet.ensdao.eth and another 45M already fully unlockable in the time lock contract.

We face two distinct problems that, it turns out, have the same fix.

Problem 1 — Security

ENS is a token-weighted DAO whose treasury is worth far more than the cost of acquiring a working voting majority. That asymmetry is the root governance-attack risk, and it has been understood since at least 2023.

The Security Council is one layer of defense, but it might be more fragile than previously thought. Currently it is near its end of life and there are two competing proposals to renew it, differing mostly in how each defines what is considered an attack. This proposal sidesteps this by making the simplest mode of a DAO attack, a proposal that requests the treasury, 95% less profitable.

Problem 2 — Fiscal discipline

Separately, and less dramatically: the DAO has no structural ceiling on its own spending. Draws happen proposal by proposal. An endowment exists to preserve a corpus and spend only a sustainable slice of it — that is the entire point of the institution — and right now nothing enforces that discipline at the contract level. This year there has been a dramatic change in the structure of working groups and there’s an active discussion on how to better structure the foundation moving forward. This proposal ensures that, no matter how the issue is resolved, the Endowment cannot be drained by a failure in governance.


The security case

A spending cap defends the treasury in precisely the case the Security Council cannot: it does not care who the attacker is, how they acquired their votes, or what they intend. It simply bounds the amount of value that can leave per year.

  • A hard cap per year means that even a successful, undetectable, majority-controlled drain extracts at most one year’s budget line — on the order of a 95% reduction in the single-year profitability of an attack on the liquid treasury.

  • It makes the “remove the Council, then drain” sequence pointless. The cap binds regardless of who holds which roles, so capturing the cancel mechanism buys an attacker nothing.

  • It converts the hardest, most dangerous attack (a quiet, hedged, attribution-proof accumulation) from “drain the treasury” into “extract one capped year and wait a year for the next” — under a one-year cooldown that is fully public and gives the community, and the price, a long window to respond.

  • Under the proposal, the most an attacker could extract in a year (~$6M) is comparable to the value of ENS that is being actively used for voting in proposals

Consolidating ENS into the Endowment closes the biggest remaining hole. Today the governance-token position is our least-protected asset. Moved into the Endowment Safe, it sits behind the same battle-tested Zodiac perimeter as everything else and simply cannot be swept by a hostile proposal. This is the more important half of the proposal, and the one I expect the most discussion on.


The fiscal case

The same mechanism is also just good treasury policy.

  • 5% of the current Endowment is ~$6M which is roughly our current annual operating envelope. Setting the cap there forces us to budget to a sustainable number rather than treating the corpus as spendable.

  • A 5%/year escalator approximates long-run inflation plus modest real growth, giving working groups, service providers and the Foundation a predictable multi-year planning figure.

  • Re-votable every five years so the policy adapts to genuine changes in scale or cost — but on a deliberately slow cadence, not a casual one.

How the cap is calculated

The cap will set by looking at 5% of the endowment at the time of the proposal execution (which would be about 6 million dollars at the current state) and hard coding that as the cap, which is then increased slowly by 5% yearly.

Initially this proposal explored the idea of having the cap float to always be 5% of the total value of the Endowment at any point, so that reasonable conservative investments could offset them. A live percentage of total value has two main drawbacks:

  1. It requires an on-chain valuation of an actively-managed, multi-protocol portfolio — which means either a manually-entered number (a trust hole) or a complex valuation oracle (an audit and manipulation surface).

  2. A percentage cap floats up in a bull market — i.e. it gets looser at exactly the moment an attacker’s buy-and-drain is cheapest to execute. That is precisely backwards.

A hardcoded, time-indexed schedule — cap = 6M × 1.05^(years elapsed) — needs no oracle, cannot be inflated by a price pump, is trivial to compute, and is dramatically cheaper to audit. It is strictly more conservative in the scenario that matters and it’s both similar to 5% of the current Endowment and our current operation budget.


Mechanism (high level)

The intent is to reuse existing, audited primitives rather than deploy new custom contracts:

  • Implemented via Zodiac modules on the existing Endowment Safe — the same stack KPK already operates, which already includes an Allowance Module with periodic resets.

  • A cap module enforces the escalating annual schedule on value leaving the Endowment, based on current market value of the outgoing asset.

  • The module limits the types of tokens that can be withdrawn to a few select USD Stables (which count to the cap) or ENS (which also have their own separate 5% cap)

  • It means the DAO pays budgets in USD stables only*, and it’s up to the endowment manager to make sure there are enough to be swapped

  • A Delay Modifier enforces the one-year cooldown on any over-cap action — and, critically, gates its own removal and reconfiguration, so the self-binding is real and there is no fast path around the delay.

  • In-perimeter activity is unaffected. Swaps, deposits, rebalancing and yield strategies that keep value inside the fund do not count against the cap; only value exiting the Endowment does.

  • The cap would be proportional to the last time it was executed, so the limit could be applied either yearly, quarterly or monthly, depending on the DAO needs.

* Alternatively, the cap could be based on market value of any token at the moment of transfer but this adds the requirement of having on chain oracles again, which adds a target for attack.

Relying on Zodiac is a feature, not a compromise: it is in production on this exact Safe, has live bug bounties, and is far simpler to review than a bespoke treasury vault.

This is only the amount that can be withdrawn from the endowment, if it’s insufficient for running the operations, it can be complemented using ENS revenue (although we recommend always focusing on depositing part of it back to the endowment), sponsorships, conferences – or cost cutting to reach the target.

Endowment mandate 2027

Recently the DAO approved Karpatkeys latest “2026 Endowment Policy update” a long detailed document that might have been overlooked by some delegates under other debates. The approved policy update states that the vision for the endowment is divided in:

Medium-term (0–5 years): capital growth and optimised deployment toward institutional-grade onchain strategies that enhance yield without compromising capital preservation, liquidity, or ENS’s values.

Long-term (5+ years): capital preservation as the dominant objective, with risk appetite shifting downward as the Endowment matures toward self-sustainability.

The endowment was conceived in 2022 meaning the 5 year window is getting closer. Currently the Endowment is “medium to low” in risk tolerance and has a 60:40 eth and stables split. The high ETH share is a reflection of the DAO’s own governance, made up of many members who are high risk tolerants and look positively to ETH as an asset (present author included) but this is not a reasonable split for a conservative low risk appetite focused on capital preservation and growth.

This proposal limiting withdrawals, combined with a discussion to make the 2027 policy a low risk endowment with the target of at least a 5% yearly return (a normal yield in most index markets), could ensure that the Endowment, and therefore the DAO would survive any future upheaval in governance and make sure that a decent budget for ENS development would be available for an indeterminate amount of time.


Relationship to other ongoing work

  • This is orthogonal to the Foundation or Security Council debate. Whatever entity ends up operating the treasury, a rate limit protects it. This proposal takes no side on that question — it is a guardrail that makes any operating structure safer, so the other debates can be easier.

1 Like

Thank you for writing this up, Alex! I’m not opposed to this in principle and actually myself have thought about whether or not parameter-based safeguards on treasury outflows make sense as long-term design. So I’ve gone down this route of thinking as well, but the biggest issue here is that it locks us into a rigid return profile which cannot sustain the burn.

Basically, because anything leaving the Safe perimeter counts as a withdrawal, this design locks the entire endowment into onchain-only management. The endowment could never allocate more than ~$6M/yr outside whitelisted onchain strategies, with a one-year delay above that. That would completely preclude traditional fixed income managers, direct treasury holdings, and custodial accounts. Tokenized RWAs are technically possible, but only through whatever the roles perimeter whitelists.

To explain my rationale further- if we are assuming that the 2027 mandate targets a conservative 5% yearly return, we need to be realistic with the return rates. So far, the endowment’s actual annualized return since inception is roughly 2.6 to 3.1% (net of fees) per kpk’s own reporting, over a period when 3-month T-bills paid 4.5 to 5.4%. If we’re spending 5% a year (escalating) while earning 2 to 3%, we’re not living off returns, we’re just drawing down the endowment itself. The realistic path to a conservative 5% runs through diversification into traditional fixed income and RWAs, which would be impossible under this design, since we’d be hardcoding a 5% spending schedule while capping our ability to earn it.

If the underlying worry is assets moving somewhere they can be taken, there are plenty of solutions and institutional products for treasury sizes even larger than ours: qualified custodians, MPC arrangements, segregated accounts with binding mandate restrictions, and independent reporting can all be options to prevent unauthorized movement while preserving allocation flexibility. In other words, security and onchain exclusivity are separable questions.

One other thing to perhaps keep in mind (semi-related, but maybe can address an underlying worry): Foundation directors will carry fiduciary duties under Cayman law, meaning there is literally a binding legal obligation for careful, institutional-level prudent management, which generally includes diversification as well. I do think caps and fiduciary accountability can complement each other well, but the design should be built with both layers in mind.

So TLDR is that I completely understand where you’re coming from, but if our goal is to maintain a healthy and evergreen treasury by keeping spend below yield, we should not cap our own ability to earn (even at a ‘conservative’ 5% target!). We could, however, explore parts of this- ie portion stays onchain for transparency, while a separate sleeve is allowed to diversify into conservative fixed income under qualified custody, with binding mandate restrictions and independent third-party reporting.

1 Like

It’s late and haven’t given a full read, but 5% of the endowment is not $6M. It’s closer to ~$3.5M.

Note that the the ~$9.4M in weETH on vaults.fyi is not indexing properly, but it is productive and earning close to 2.65%.

1 Like

@katherine.eth thanks for the thoughtful response

I think there are two questions behind this:

  1. can we expect a conservative 5% yield on or off chain anywhere?

and

  1. can we do it while onchain?

On (1): maybe not at today’s rates — a lot of traditional fixed income pays 3–4% right now, and you’re right that a stables-only book can’t sustain 5% forever. No fixed-income portfolio anywhere can. But that’s not how endowments reach 5%: they get there over years through boring diversification into equities — even plain S&P 500 exposure. Harvard, Yale, and pension funds sustain ~5% payouts across decades that way — big equity allocation, spent at a percentage of NAV, smoothed over time. If even that’s unrealistic for us, I’d rather set a more moderate target (3.5%) and close the gap with registration revenue, sponsorships, and cost discipline. Either way it’s arithmetic: long term, spend less than you earn. I’m only proposing we put that in the code.

And on how we got here: ~$130M six months ago, under $88M now. That’s not runaway spending — it’s a governance choice we all made to hold most of the treasury in ETH. I include myself fully. I’m a tech optimist and ETH bull; I’ve spent ten years with more in crypto than any prudent manager would allow. It worked for me and for the DAO for a while. Long term, though, we need to stop being ETH bulls and start being boring fund managers. That’s the whole spirit of this.

On (2): reasonably yes. Tokenized T-bills (BlackRock, Franklin Templeton, Ondo) hold billions. Tokenized credit from Apollo and Centrifuge is live — New York Life’s $807B arm launched its first tokenized fund June 30th. Plus tokenized equities, synthetic indexes, and boring USD Aave markets.

Sure, some of these might carry the same risks (and security backings) that putting it into a Foundation backed by “fiduciary duty”, but because those are third party risks and because the funds are transparent, it has much better optics.

I want to engage your closing suggestion seriously, because I think it’s the crux. You’re proposing a portion stays onchain for transparency while a separate sleeve diversifies into conservative fixed income under qualified custody. I’m fully with you on the diversification — but I’d separate the what from the where. We can get conservative fixed income, T-bills, and credit exposure through tokenized RWAs that stay inside the transparent perimeter and inside the rate limit. What I’d resist is the custodied-sleeve part specifically: moving a chunk of the endowment out into an off-chain structure. That’s a different decision from diversifying, and it’s the exact move the rate limit exists to make slow and deliberate.

The chain’s clearest fit is money and transparent settlement. If a traditional nonprofit is really the safest home for our assets, someone eventually asks why it isn’t also the safest home for the namespace. Keeping assets onchain, secured and rate-limited, is us practicing what the protocol enables.

I was using anticapture.com dashboard, which puts the total DAO at 130M, but I guess they were including ENS tokens etc. Stakehouse own dashboards state the Endowment as 86M you’re correct.

1 Like

I’ve been thinking a lot about your proposal for executable limitations on treasury withdrawals. I think encoding a limit of some kind is fundamentally a good idea, but there’s a few reasons I don’t think a purely technical solution works right now:

  • Every Safe has an owner or owners. As far as I can ascertain, only the owner(s) can change Zodiac Roles Modifier roles, and so the owner has to be either the DAO or the Foundation. The owner can also execute any transaction independent of the roles modifier, so that means that party would not be bound by the modifier. There are ways to alleviate this such as Safe Guards, but that means introducing new code that would have to be written and audited first, and the more novel code, the higher the risk we mess up and lock all of ENS into a broken treasury management system.
  • If we remove the ability to change Roles Modifiers, we’re locked into our current fund manager and set of rules. If we leave it in place, a malicious actor who gains control could simply change the rules to allow outsized withdrawals.
  • A sensible strategy would limit withdrawals based on a percentage of current NAV - when the fund is doing well, you can afford to make bigger withdrawals, and when it’s doing poorly, you should be more restrictive. Likewise, it should account for deposits into the fund as well as withdrawals out. All of this needs to apply across multiple asset types. As you observe, this is very difficult to encode onchain.

However, I have an alternative suggestion that I think achieves most of the same goals with more flexibility and reduced risk:

  1. Pass a constitutional amendment requiring good fiscal management of the endowment. This would specify bounds such as a maximum % of NAV that can be withdrawn each year, how the percentage rolls over, etc. It would need to be carefully structured so that a single down year doesn’t result in the allowable amount going below fixed budgets and requiring massive layoffs, only to rehire everyone the following year.
  2. Add a timelock to the Safe that contains the endowment. There are a number of ways to do this, the simplest being using the same timelock contract the DAO currently uses.
  3. Add the foundation and the Security Council as proposers on the timelock. The security council contract only permits cancellations, giving it veto power over the timelock.
  4. (Optionally) Deposit the ENS tokens into the timelock also
  5. (Optionally) Set Zodiac roles modifiers that allow the Foundation to withdraw up to a certain quantity of funds for everyday operation without the timelock requirement

A constitutional amendment setting bounds on the allowable treasury spend gives the security council the mandate to act to cancel transactions that violate it, and the timelock gives them the technical means to do so. The combination means that the security council can act as a check against both rampant spending and a compromised multisig.

Thoughts?

3 Likes

thanks Nick. I really like your proposal. To clarify a few things:

The reasoning for a long delay is to prevent quick attacks. But in this context, you’ve convinced me that there’s not much of a difference between one year and one month. It just needs to be long enough to give all delegates time to react and try to cancel it, and I do think our delegates and security council have proven to have a good response time. So if I understand correctly:

  1. The Endowment Safe would change ownership to a timelock, which could be as little as 1 month

  2. The DAO would be a proposer and the Security Council would have veto power over it.

  3. Any policy change would take 1 month to take effect, including changing caps, new investment rules, new zodiac roles modifier. This seems like a good balance between not so sluggish it’s locked but a decent response time.

  4. We could add zodiac role modifier that would allow the DAO to make immediate withdrawals and skip the wait, if it met a few conditions – and that’s where the cap would live.*

  5. to make strengthen the policy, we could add a constitutional amendment for fiscal responsibility. That would be a totally separate discussion. We can also separate the discussion of the new Endowment policy mandate, but understand they are all bits of the same long term strategy.

  6. The cap itself. When we add it, it could be based on a rolling percentage of NAV, but that has a lot of oracle complexities. I would suggest a simpler logic: allow only ENS and USDC withdrawals from the Endowment to the DAO. For USDC I would simply take 5% of whatever is the NAV at the time of the final vote. We could readjust that every year. For ENS I would just set some limit like 10M per year or 5% of the currently held supply or something like that.

If this is how I understood, then I think it’s a good evolution of the current proposal and I support it. We have 3 separate discussions: the technical implementation, the fiscal policy amendment and the new endowment mandate. With these 3 in places, we could reduce the failure risks from an inactive security council or a mismanaged new ENS foundation.

1 Like

Yes, though I question the need for even a month: Security Council members have 9 days at most to prepare to cancel a malicious DAO proposal. We should be expecting <48h turnaround time from the security council to cancel a proposal.

I’m suggesting that the Foundation would be the proposer, with the Security Council having the cancel role.

I don’t think this is a separate discussion. The amendment provides the security council with a mandate to cancel transactions that violate it - it’s the social version of the spending cap. Without the amendment, the council could not act on anything that’s not outright malicious.

The fortunate thing about putting this in the constitution and having the SC enforce it is that we don’t have to figure out how to encode all of this onchain. Karpatkey (or any other fund manger we appoint) already tracks NAV, revenue, and expenses, so determining if this is violated is fairly routine.

You keep saying the DAO - but I want to make clear that this is all under the assumption that it is part of the Foundation proposal Katherine posted, which would see the Foundation taking over the bulk of day-to-day financial operations.

we don’t have to figure out how to encode on chain

Well there are two sides to this idea and only one of them is about limiting what a foundation could legally do, the other is limiting what an attacker could technically do, as a redundant limit beyond the security council

the foundation proposal Katherine posted

I see this as a compromise in which we have the stronger foundation she proposed, but the endowment is kept on chain and the foundation has to still ask the DAO to approve a budget annually (or whenever it wants to withdraw). This would