BEGIN PGP SIGNED MESSAGE
Hash: SHA256
Background
In order to analyze this proposal a bit more seriously, we need a security framework for reasoning about quorum sizes. We propose the following de minimus threat model which aims to reason about quorum sizes as a function of the quantity of UNI needed for a set of negative actors to perform actions harmful to UNI holders and LPs. While there isn’t an purely objective definition for what the set of negative actors looks like, I will focus on actors that I believe are generally agreed upon to be negative participants should they unilaterally form a cartel to pass proposals through governance. Gauntlet would very much appreciate feedback on whether you think this definition is too aggressive, however.
Threat Model
In order to quantify optimal quorum sizes, we first have to define a threat model that prescribes how much UNI colluding adversarial actors would need to accrete to perform a deleterious action. In the remainder of this post, we consider a deleterious action to be one that:
 Reduces the amount of decentralization inherent to the protocol
 Reduces the potential future cash flows that UNI holders could (not will) receive from the transaction fees allocated by the protocol
 Interferes with the ability for liquidity provider and traders to achieve execution as defined in the smart contract (e.g. via a change that increases gas costs without a very strong reason for doing so)
Given that these are qualitative objectives, we will need to introduce simplifying assumptions to create a datadriven model.
Assumptions
We first make the following assumption about an adversary that necessarily satisfies the above criteria:
A0. The set of deleterious adversaries is nonempty and at least includes the following three actors
a. OnChain Lending Pools (Compound [0], Aave [1], PowerPool)
b. Competitive Automated Market Makers with Governance (e.g. SushiSwap)
c. Centralized Exchanges
The first category is nascent and quite small, so we will focus on analyzing the threat posed by exchanges. According to Nansen, we have the following top UNI holding exchanges:
From these balances, it is quite clear that the main exchanges that we need to consider as threats to governance are Binance and Huobi. Even if every nonUniswap UNI exchange colluded to try to achieve quorum, they would barely be able to do so. The high cost of coordination amongst competing adversaries behooves us to make the next model assumption:
A1. Only exchanges with balances higher than Uniswap are likely to collude to reach quorum
Now that we have restricted ourselves to analyzing exchanges with higher balances than Uniswap, it is natural to ask about quorum size relative to their total balance. Given that the two exchanges that meet this criteria are fiduciaries and strident competitors, we believe that it is reasonable to assume that they will not collude.
A2. Competing centralized exchanges will not collude to take over Uniswap
This assumption, which is the strongest one that we make within this threat model, is likely to be controversial as the cryptocurrency space has historically had collusion of this form (e.g. Bitcoin’s New York Agreement). However, we believe that competing exchanges forming an antiUNI holder cartel (to drive liquidity and volume back to centralized venues) will inevitably be an unstable alliance as the form of UNI manipulation chosen will likely only benefit the largest member of the cartel. In particular, we do not believe that they will be able to make progress on omnibus proposals that require multiple governance votes without running to a point where their cartel spontaneously breaks apart.
Given these assumptions, we can define the safe quorum threshold to be the least upper bound on the most capitalized deleterious actor’s UNI balance. This captures the minimum amount of UNI that a deleterious actor that satisfies assumptions A0A2 would need to perform a governance action unilaterally.
Estimation
How do we estimate the safe quorum threshold? Given that exchange balances fluctuate daily, one simple upper bounded heuristic for the safe quorum threshold is the estimator (written inefficiently as a quadratic algorithm, but with an eye towards clarity using Python notation)
safe_quorum_threshold_ub = max([max_balance[t] + abs(max_delta[tp])
for t in range(start_date, end_date)
for tp in range(start_date, end_date)])
where

balance[exchange, t]
is an array of the balances at exchange exchange
indexed by a date t
max_balance[t] = max(balance[exchange, t] for exchange in exchanges)
delta[exchange, t] = max_balance[exchange, t]  max_balance[exchange, t1]

max_delta[t] = max(delta[e, t] for e in exchanges)
.
This finds the max balance plus the maximum [in,out]flow that an exchange has in a single day. By using the maximum flow (regardless of direction) and the maximum balance, we’re constructing a best unbiased estimate of how large the largest exchange could get if it a) had the maximum known exchange balance and b) the largest inflow day possible.
Analysis
Using the Nansen, we can first see that Binance has always been the maximum balance exchange, hovering around 25M UNI.
Therefore, we center our analysis around Binance. In this Google Sheet, we use daily balance data from Nansen to compute a number of quantities related to the safe_quorum_threshold
. If we exclude max_delta
from the first day of UNI issuance (which is an outlier, as illustrated in the spreadsheet), we see that:
max(max_delta[t] for t in range(start_date, end_date)) = 1'212'017.65
max(max_balance[t] for t in range(start_date, end_date)) = 28'904'174.60
However, we note that Uniswap’s market share in terms of UNI markets has increased over time, whereas Binance and Huobi have been decreasing in UNI holdings. As such, we think a weaker but still acceptable estimator for safe_quorum_threshold
is:
safe_quorum_threshold_ub2[exchange] = max([avg_balance[exchange] + abs(max_delta[t])
for t in range(start_date, end_date)])
Why do we think this is reasonable?
 The first few days post UNI launch had exceptional volumes and they should be considered outliers
 The increase in Uniswap market share is extremely promising as the number of UNI held in Uniswap pools more than doubled from the minimum (3.4M) to the maximum (8M) whereas Binance and Huobi had far more anemic growth
Using this bound gives us a final number that we believe could be in a proposal:
safe_quorum_threshold_ub2["binance"] = 26'930'326.78
Thus, we believe that a quorum amount of roughly 27M UNI should suffice to prevent a unilateral deleterious act.
Footnotes
[0] Compound has borrow caps enabled as of Compound governance proposal 22, which mitigates the size of borrow that an adversary can
[1] Aave has a community sentiment poll for adding Uniswap to the protocol
BEGIN PGP SIGNATURE
iQIzBAEBCAAdFiEEEJAuhmVduSEVN8uPKIPJySxksQ8FAl+BQmYACgkQKIPJySxk
sQ/FrQ/+JXWalAXCNIEEvJqFZHdp0wLQWlCxWQ7ctCMkM96wU9Q2SHdIPOrK8NjD
Q7g/2AX6Ho/+RKw+J/XjeSbulaEz6RCIpo0xbD4xHmQfZe15P/fo5aAQnHbm1tJ1
KKXqFv2Bx6/Z66sdiobDSZLik4W/f1mhHtiuyr4XRGR6Az1AgmYQlICwrpNKakCm
oak3X/tcgntiX7ff0yMWjKMmsAmGkkwHerr42i8o4ZtkSigy62u5WcRCpugAT0V/
guytgpuiuOZf0oTw3r5yWrdRBDVYIwWxw/9PYbQ1Rebl1aKj/C2rpOqBUkOMn+YV
sMNfCYMQFUPJHXtavjlwpdV48le7Qb6zGFT6ZSLAVQ8gOKW8Rv7R1C1eVrrMobC/
F5WqGwEkiUQ/DrdEZrF+EQp5TCOOeqwjyAZS5k24P8yQBxQhQJUxo7QT4Yph14xz
WPgVqB1we4jy5R0zg8V2df27zVXFu1Oye2Ovlk3WKiodk3d5sk2K6WhJ5D4P0dNU
W/oQYCwBVtI/mWdkv9DJ3odto7Z+pw+Rc/kh4WcOIdT4J+OSMPE6iO+Txz9xfnxH
jyDn0hawFmSEChABnubqkDlPv/SNEXPOCafq/Uf+f5octktFsp4ieQdVB5JUGx92
kEycSzthvAgc/8x6cwjlY+9vT70ZvlPs3T8GOLO/AUgPle2J6XA=
=coIU
END PGP SIGNATURE