Governance is only as good as what secures it.
DAO Ships was rewritten from scratch with a security-first posture, audited across multiple passes, and paired with a hardened Quai Vault multisig for the treasury. Here's exactly what protects your DAO.
DAO Ships contracts
5 review passes
0 unresolved, any severity
Quai Vault contracts
4 audit rounds
0 critical / high / medium open
DAO Ships indexer
Audited Apr 2026
0 critical / high / medium open
Hardening over upstream
Each of these is a deliberate improvement over MolochDAO v3 / Baal, documented in the contract security guide.
Scoped execution
executeAsGovernance can only call the DAO itself — never an arbitrary external address. This closes upstream's single largest privilege-escalation surface.
Flash-loan-resistant sponsorship
Sponsorship power is snapshotted one second in the past, blocking borrow-delegate-sponsor attacks within a single block.
Auto-expiring proposals
Ready proposals expire after a grace + expiry window, so no passed-but-unexecuted proposal can lurk forever as a zombie.
DelegateCall whitelist
The Quai Vault only permits DelegateCall to MultiSendCallOnly, which rejects nested delegate calls — defense against Bybit-class storage-corruption attacks.
Ragequit veto & retention
If too much of the treasury exits during voting, a proposal is blocked. Minorities can't be diluted or rugged through governance.
Immutable by design
Tokens and governance are non-upgradeable EIP-1167 clones. No proxy admin, no upgrade key, no surprise rewrites.
A treasury that defends itself
Because the treasury is a Quai Vault, your DAO inherits an entire multisig security model on top of governance.
M-of-N multisig ownership
Up to 20 owners with a configurable approval threshold. No single key can move funds.
Native timelocks
A vault-level minimum execution delay floors every transaction; per-transaction overrides handle urgent vs. routine ops.
DelegateCall hardening
DelegateCall is disabled by default; only an explicit whitelist (MultiSendCallOnly) is allowed — blocking Bybit-class storage attacks.
Epoch approval invalidation
Removing an owner atomically invalidates all of their pending approvals in O(1) — no stale signatures linger.
Found something? We want to hear it.
DAO Ships and Quai Vault are open-source and run a bug bounty. Responsible disclosure keeps the whole fleet safe.