DAOs provide transparent and efficient coordination for byzantine parties online but are improper vehicles for private dealmaking as their treasury, proposals, and votes are public by default. This post offers a solution to this, using an encrypted uniform-price auction to form an AcquisitionDAO. These DAOs can be used to purchase traditional assets like real estate, securities, physical collectibles or for on-chain assets such as fractional NFTs, token launches, or other DAOs.
Regulatory uncertainty for DAOs has prompted various legal structures to encode member ownership and voting rights. Some organizations like FlamingoDAO, a product of Tribute Labs, limit their membership to 100 KYC-ed and accredited investors to support the legal ownership and control of the assets by its members. Instead of restricting its membership, the ConstitutionDAO founders chose to create an LLC to bid in the Sotheby’s auction for a copy of the US Constitution but the DAO members were actually donors without real ownership. They ended up failing to purchase it, but had they won, the tokens would have become non-binding votes governing the collectible. That lack of legal ownership did not dissuade speculators though as one year later the $PEOPLE token trades with a 22X premium over the value of the underlying ether for which the tokens can be redeemed.
The failure of the ConstitutionDAO illustrates the main issues when forming a traditional DAO for acquisitions: 1) transparency is a bad strategy and 2) donors were unable to attach a valuation contingency to their contribution. The visibility of blockchains is often a selling point for DAOs, but since the amount of Ether they raised was public, any prospective bidder could view this and plan a higher bid, which is likely what happened. Also, the early contributors had no option out if the total amount raised began to far exceed their original estimate for the item.
An AcquisitionDAO addresses both of these problem and works similarly to how the US Treasury auctions its T Bills. A set of known operators is needed to create one. They work together to generate the encryption and decryption keys for the prospective members. The prospective members commit to an encrypted contribution amount and maximum clearing price for the purchase. After submissions, if needed, one or more operators can decrypt the submissions locally, and use the result to act as executor for the DAO in negotiations or auction house bidding. To close and settle the AcquisitionDAO, the operators generate and publish the decryption key to reveal all contributions. Anyone can then “solve” the result by sorting submissions by max clearing price, summing the contributions until the raised amount exceeds the max price. After that, a short challenge & response period will follow before releasing the funds.
For ETHSF 2022, my team built and submitted a proof of concept implementation of this. You can watch our demo here.
Continue reading for a more detailed explanation on how this works.
AcquisitionDAOs
The formation of an AcquisitionDAO involves 3 actors and 4 phases:
Actors
- Operator: One or more individuals that manage an elliptic curve key pair to finalize the purchase
- Submitter: Prospective member of the DAO. Each sets a maximum clearing price of the asset and the amount they want to contribute towards a purchase
- Solver: One or more entities that can publish the auction results on-chain, or dispute an incorrect result
Phases
1. Setup
We’ll need a group key pair for encryption and decryption of submission data. For this, a set of operator addresses is required to create an AcquisitionDAO. Each account will then generate a local elliptic curve key pair and share its public key on-chain. When all keys are published, the bidding can begin.
2. Submission
A submitter chooses a contribution, a maxPrice, and an amount of tokens (ERC20 or ETH) to send with the transaction. The tokens they send must exceed their contribution or the submission will be invalid upon decryption. Submitters should want to send more payment than their contribution as this obscures the final clearing price of the DAO. The maxPrice establishes a threshold clearing price above which their submission becomes invalid. To encrypt the contribution and maxPrice, the submitter creates an elliptic curve keypair and using ECDH, generates a symmetric key from the group public key and their local private key. The submitter encrypts their transaction parameters with the symmetric key and must include their plaintext public key in the transaction as well. After submission, they are free to discard their keys if desired.
3. Decryption
When submissions are complete, the operators post their private keys on-chain to generate the group private key. Once all keys are revealed, anyone can decrypt the values since each submitter’s public key and the group private key can generate the original symmetric key for each submission.
In some cases, the operators may need a “view period” to learn the maximum price before revealing it publicly. This would have been needed in the ConstitutionDAO example, where the operators had to know their highest bid during the Sotheby’s auction while also keeping it secret. For this, instead of the operators submitting their keys on-chain, they reveal them privately among themselves enabling a local decryption of the submissions. Then if the DAO’s highest bid does win, the operators can publish the keys and access funds for the winning amount.
4. Settlement
After the on-chain reveal of the operators’ keys, anyone can be a solver and post the result for the auction, which includes a final clearing price and the amount by which it was over-subscribed. Oversubscription occurs if more contributions were recorded than the maximum clearing price. For example, two highest submitters offer to contribute 900 with 1000 as their max clearing price. In this case, they will each contribute 500 and the remaining 400 (plus whatever they originally sent) is returned to them. The AcquisitionDAO result can be computed deterministically, enabling on-chain verification when a challenge is needed.
Trust Assumptions
For n of n key generation, only 1 of the operators must be honest to prevent early decryption. And in cases where 1 or more operators lose a key or go offline, an auction can be canceled, returning funds back to bidders. t of n key generation is possible here too, but outside the scope of this post.
Related Projects
A16Z Sealed Bid Auction Design
Taxonomy of on-chain auction designs. Also covers a reference implementation for an Overcollateralized Sealed Bid Auction where bidders reveal their bids post-auction.
One of the winning submissions for ETHSF 22. Utilizes a VDF to produce a decryption key at a future time with a delay function. This approach is fully decentralized while allowing instant reveal of all bids upon auction completion. This improves the bidder UX of the Overcollateralized Sealed Bid Auction, but lacking any executor capability or “view period” is not suitable for TradFi applications.
Protocol for trading ERC20 tokens in batch auctions without the MEV risk of an AMM. CoW Swap also relies on a solver to find the maximum clearing price for a batch of trades. For this, the bids do not require privacy as it is intended for more liquid assets.
Variation of Overcollateralized Sealed Bid Auction to obscure bid amount among ordinary EOA transfers using CREATE2 contracts. This concept could be applied to a DAO Dutch Auction and improve bid privacy without requiring overcollateralization, but as bidders still need to commit their bids to the contract, extra care would be needed to separate their CREATE2 account interactions from the bid commitment transaction.
Protocol for
t of ndistributed elliptic curve key generation.
Thanks to Tyler Mulvihill for the feedback and review of this post