Introduction
Smart contracts can eliminate the trust element from fund management, yet too many DAOs still rely on promises. At OpenZeppelin we have seen several different ways of handling Compound DAO funds received from proposals. The wide range of operational requirements for allocated funds occasionally creates difficulties in balancing the interests of the DAO with the ability of a proposer to use the allocated funds in an effective manner. The beauty of the EVM, however, is that smart contracts allow great flexibility in creating trust-minimized setups.
The Accountability Gap
Once funds are transferred to a recipient, they gain complete operational flexibility to adapt to changing circumstances. While this agility can be valuable, it creates an accountability gap: funds can drift from their intended purpose through incremental decisions, changes accumulate without oversight, and even well-intentioned pivots lack transparency to the DAO. Without defined boundaries, there’s no mechanism to distinguish between necessary adaptations and mission drift.
The amount of trust required is influenced by multiple factors: the transfer method used (lump sum, streamed, or any configuration in-between), the custody of the funds (EOA, Safe, or a custom contract), and the risk management controls available (does the DAO have recourse if funds aren’t used as directed?). The risk profile created by the combination of these three factors indicates how much trust must be placed in the recipient. These factors determine the level of operational structure needed. Therefore, proposers should design appropriate mechanisms that balance operational flexibility with accountability for DAO funds.
Building on Proven Infrastructure
These challenges have solutions that don’t require reinventing the wheel. In practice, given the wide range of operational activities which may be performed by third-parties on behalf of the DAO, the concern may be that implementing a well-considered design would preclude timely execution of tasks by vendors. The DAO’s operation on the EVM provides an opportunity: DeFi’s composability enables solutions that are both trust-minimized and maintain operational efficiency. This approach leverages Safe’s widespread integration with web3 applications, allowing teams to maintain their familiar workflows and authentication methods without needing to transfer funds to EOAs or adopt new interfaces. As an example of how this can be achieved, we would like to highlight the approach proposed by Avantgarde during the first half of 2025.
The Technical Solution
The approach uses a two-Safe design: an Avatar Safe, and a Manager Safe. The Avatar Safe is set up with the Zodiac Roles modifier module. The Manager Safe, enabled by the Zodiac Roles Modifier, is granted the ability to perform transactions on behalf of the Avatar Safe. From the module’s documentation:
With Roles, on-chain entities can extend secure transaction permissions to any address through customizable roles, allowing any account to act on its behalf. The smart contract module attaches to any avatar (a Safe or other web3 account), enabling on-chain entities of all sizes to tailor roles and permissions to their needs, ensuring robust, secure, and seamless web3 transactions.
Specifically, the Zodiac Roles modifier allows the Avatar Safe to be configured such that certain transactions can be executed by designated accounts without the Avatar Safe signers’ assistance. The access control configurations can range from allowing interaction with an entire specified contract down to restricting the input parameters that can be provided to a single function within that contract. In practice, this means that once a proposal has passed that transfers DAO funds to such an Avatar Safe account, then the proposer (via their Manager Safe) will have the ability to act without constraint within the bounds that have been enacted in the proposal (and which are defined within the Avatar Safe’s Roles Modifier setup).
Defining the configuration requires deliberate planning of how funds will be used. Proposers must understand the specific on-chain transactions needed (target contracts, function calls, and parameters) to configure them in the Zodiac Roles Modifier. This upfront planning increases transparency by making permissible actions explicit and auditable. It also minimizes trust by limiting authority to pre-approved operations. While this requires initial effort, it enables managers to execute quickly within secure boundaries without requiring new DAO votes for routine adjustments.
Avantgarde’s Implementation
The Avantgarde proposal asked for 35,200 COMP to implement a yield strategy intended to generate a targeted 15% annualized USDC-denominated yield. To allow the DAO to maintain a measure of control over the strategy, Avantgarde proposed the use of an Avatar Safe with the Roles module enabled. A Manager Safe with a 2/4 threshold was given permission to execute the approved function calls required for the strategy execution. The signers of the Manager Safe are MYSO, Avantgarde, and two representatives from the CGWG (PGov and Arana Digital).
The above configuration means that the Compound Timelock may transact as the signer of the Avatar Safe, should it become necessary, but crucially the Manager Safe is able to take the actions required by the strategy at their own discretion. By narrowly scoping the proposal, the Avantgarde team was able to define the function calls required to operate the strategy safely, without needing to have complete control over the funds.
Configuring Boundaries
To configure the Avatar Safe correctly, it needed to be clear which actions Avantgarde (through the Manager Safe) should be able to call freely. These were determined to be:
- The
approvefunction of the USDC token, with thespenderbeing limited to the USDC Comet Market contract - The
supplyfunction of the USDC Comet Market, with theassetsupplied restricted to USDC - The
withdrawfunction of the USDC Comet Market, where thetoaddress is restricted to the Avatar Safe’s address - The
claimfunction of the Comet Rewards contract (specifically theclaimversion which claims to the calling address) - The
approvefunction of the COMP token contract, with the MYSO Router as the only spender - The
takeQuotefunction on the MYSO Router - The
withdrawfunction of the MYSO Router contract, with thetoaddress restricted to the Avatar Safe’s address
To achieve this the Zodiac Roles modifier was enabled on the Avatar Safe through the Zodiac Roles App on the Safe UI. Enabling the modifier calls deployModule, which deploys a new instance of the Roles modifier module, and then calls enableModule, which allows the module to execute transactions as the Avatar Safe. The main functionality of restricted access control is achieved through two functions: scopeTarget and scopeFunction. The web interface (or the Zodiac Roles SDK) assists in constructing the inputs for these functions.
scopeTarget: Scoping a target means that only specified functions within the target contract may be called.
scopeFunction: Scoping a function means configuring the specific function selector and the conditions under which it can be called. This is ultimately what provides the fine-grained access control.
The Avantgarde team configured their Avatar Safe by:
- Deploying and enabling the Zodiac Roles modifier
- Scoping specific target contracts (USDC, Comet Market, COMP, MYSO Router)
- Defining allowed functions with parameter restrictions (e.g., approve only specific spenders, withdraw only to Avatar Safe)
This configuration precisely matched their yield strategy requirements while preventing any actions outside the approved scope. It should be noted that the Zodiac Roles app is available on the Safe App, which simplifies the setup of roles and permissions through web-based and SDK interfaces. The Zodiac Roles documentation is helpful in this regard.
Conclusion
Avantgarde’s trust-minimized solution demonstrates substantial benefits for the Compound DAO by significantly reducing risks associated with third-party operational activities. This approach enables narrowly scoped actions and granular control over delegated funds through the Zodiac Roles modifier.
The solution’s flexibility makes it valuable across various proposal types and allocation sizes. When configured to restrict transfers to approved contracts only, it prevents funds from moving beyond DAO visibility, improving transparency and accounting. Importantly, if agreed-upon KPIs are not met, the DAO retains recourse to reclaim allocated funds. Once configured, operations proceed at full speed within the defined boundaries. Some may view these security requirements as added complexity or a barrier to getting started. However, Avantgarde has already done the complex work of designing and proving this approach. With their solution as a template and web interfaces now available, setup represents a reasonable upfront investment of effort that aligns with the responsibility of managing treasury allocations.
Given that DAOs routinely allocate treasury funds, proposers should integrate these trust-minimized fund management designs as a standard practice. The composability of the EVM allows us to remove unnecessary intermediaries, a capability the Compound community should leverage across all delegated treasury operations. Adopting these controls as standard practice would provide the Compound DAO with enhanced visibility and recourse over allocated funds.