[SECURITY] Emergency Governance: Temporary Transition to Multisig Execution

TL;DR

Gitcoin governance currently lacks an execution-layer veto or circuit breaker to prevent bad actors from executing governance attacks (https://arxiv.org/pdf/2406.15071). This creates a credible risk where a single malicious proposal could execute irreversible treasury actions.

Action:

• Gitcoin DAO has pre-emptively coordinated with the Gitcoin Foundation to bypass standard governance and move the funds to a new Treasury while we mitigate this issue (and Tally is being wound down) execution is being moved to a 4/5 multisig.
• Governance will continue to signal intent, with execution performed by the multisig. No changes are being made to the DAO governance at this point, and the bypass of current bylaws has been flagged as appropriate by the Foundation Constitution:Article 2, Section 4 restricts the Foundation from allocating or distributing DAO treasury assets without a DAO Resolution. However, this is a protective custody transfer, not an allocation or distribution. The funds are not being spent or disbursed. Article 5, Section 7 uses the word "disbursements" specifically, which implies spending, not a custodial move for protection.

Article 2, Section 4(b) also permits the Foundation to act without a DAO Resolution to comply with legal or other core requirements. Tally's shutdown is an independent operational necessity that creates exactly that requirement. 

This is a temporary emergency measure to protect treasury assets while governance is hardened.

Why This Is Being Done Without a Vote

Under Gitcoin’s Foundation bylaws and steward responsibilities, action can be taken without governance in the presence of material and time-sensitive risk to treasury assets.

Given the current design:

• No execution veto
• No circuit breaker
• Irreversible outcomes

Delaying mitigation to pass a governance proposal would itself introduce avoidable risk, by announcing these risks and plan we put the very mechanism we’re looking to thwart, we give would be attackers and option to carry out that plan ahead our own execution, as the timelock itself does not have the veto power to nullify the proposal.

The Risk

Current system:

• Token-weighted voting (GTC)
• Timelock execution
• No veto or execution guardrails

This creates an asymmetry:

• An attacker needs one successful proposal
• Defense requires continuous monitoring and timely response

If quorum can be reached at a lower cost than the value of assets controlled, governance becomes economically attackable.

Immediate Action (Phase 1)

Execution Layer Change:

• Transfer liquid treasury assets from Governor → Safe multisig
• Governance proposals remain active but function as:
  • Signaling
  • Instruction to multisig

Multisig:

• Modeled on Gitcoin’s existing matching pool custody
• Signers: trusted, distributed participants

What This Enables

• Execution-level veto capability
• Human verification before irreversible actions
• Protection against:
  • Low participation governance attacks
  • Rapid accumulation of voting power
  • Delegate or key compromise

Tradeoffs

• Introduces a temporary trusted execution layer
• Reduces pure automatic onchain execution in the short term

This tradeoff is intentional: protecting assets takes precedence over automation under current conditions

What Happens Next (Phase 2)

This is not the final state.

We will move toward a hardened governance system, including:

• Timelock improvements (reaction windows)
• Execution guardrails / circuit breakers
• Scoped treasury permissions
• Rate limits and spending controls
• Optionally delegate the GTC in the treasury to trusted community members using something like Franchiser: https://github.com/uniswapfoundation/franchiser or through a direct delegation

Path Back to Decentralization

• Short term: Multisig protection
• Medium term: Hybrid governance + guardrails + constitutional updates
• Long term: Return to fully onchain execution once safe,. 

The multisig will:

• Transition to an emergency backstop
• Or be removed entirely

Closing

This action is being taken to mitigate a known governance risk and protect the Gitcoin treasury. Temporary trust is preferable to irreversible loss.

Further updates and a formal governance hardening plan will follow.

https://tally.xyz/gov/gitcoin/proposal/57072833898817791797073691509906632211867496916826813977377920660331579547554