Skip to Content
Quorum contracts are live on Base Sepolia. Mainnet ships after external audit. Do not send real funds.
GovernanceTreasury

Treasury

The Quorum treasury holds protocol fees and slashed bonder stakes. On mainnet it is a Safe multisig with a TimelockController for parameter changes.

What flows into the treasury

Three streams:

  1. Idea-token trading fees — 15% of the per-idea FeeRouter split. Paid in the idea token, not in ETH.
  2. Bounty protocol fee — 5% of every bounty amount, deducted at _approve or _reject in ForumExecutor. Paid in the bounty’s denomination (typically the idea token).
  3. Slash cut — 10% of every loser pool at settlement, captured via BondingEscrow.flushProtocolCut(bountyId). Paid in the bounty’s denomination.

The treasury accumulates multi-token positions, one per active idea. There is no automatic conversion to ETH or stablecoins; conversion is a treasury-management decision.

Ownership topology

Sepolia (current)

  • Owner of all 5 contracts: 0xAf44cADeDbe7430c66870931b491eDCD8ec12196 (single EOA)
  • protocolTreasury on BondingEscrow: same EOA
  • Relayer / dealer: same EOA

This is a development topology. Not suitable for mainnet.

Mainnet (planned)

RoleTopology
Owner of all 5 contractsTimelockController (24h or 48h delay)
Proposer / executor of timelockSafe 3-of-5 multisig
protocolTreasurySame Safe multisig OR a separate revenue-distribution contract
dealer (relayer EOA)Hot wallet rotated quarterly; only commitChamber access
deployer (relayer EOA)Hot wallet rotated quarterly; only IdeaFactory.deployIdea access

Audit M-04 flags that without a timelock, a compromised owner key can:

  • Redirect protocolTreasury to an attacker address (drains future fees).
  • Swap BondingEscrow.forumExecutor to an attacker contract (decides in-flight bounties).
  • Change protocolSlashBps mid-bounty (M-04 also flags this needs to snapshot at registerBounty time pre-mainnet).

All three are mitigated by Safe + Timelock. Mainnet deploy requires this topology.

Multisig design

The proposed Safe configuration:

  • 3-of-5 signers (raises the bar without making operations grindy).
  • Signer mix: 2 Quorum core team + 1 external advisor + 1 auditor + 1 DAO-elected community signer.
  • Hardware-only keys (Ledger / GridPlus). No mobile-wallet signers.
  • Quarterly key rotation review — verify signer access, replace lost devices.

Timelock parameters

OpenZeppelin TimelockController:

  • Delay: 24h for parameter changes (e.g. setProtocolSlashBps), 48h for owner changes (setForumExecutor, setFactory).
  • Min delay: 24h hard floor (no faster execution).
  • Proposer role: held by the Safe multisig.
  • Executor role: held by the Safe multisig (a separate role would allow public execution, which is a future iteration).
  • Canceller role: held by the Safe multisig — lets the team kill an in-flight proposal if it’s identified as compromised.

The 24h delay is the incident-response window. If a parameter change looks malicious, the multisig has 24h to call cancel before execution.

Revenue distribution

Multi-token treasury balances will accrue across many ideas. Distribution paths under consideration (not committed):

  1. QRM buy-back-and-make — periodically sell idea-token fees into ETH, buy QRM on the Uniswap V4 pool, add as LP. Increases QRM liquidity without burning supply.
  2. Direct QRM holder dividend — pay accumulated idea-token fees pro-rata to QRM holders (gas-expensive at scale; only practical with periodic settlement).
  3. Reinvest in audits / bug bounties — earmark a fixed % of fees for ongoing security work.
  4. Burn — net-zero QRM supply through buy-back-and-burn. Less liquidity-friendly than (1).

Final distribution policy will be governance-decided after mainnet launch. Initial policy: hold everything, fund audits and infra from treasury.

Spending controls

All treasury outflows require:

  1. Safe multisig 3-of-5 approval.
  2. 24h timelock delay (if changing protocol parameters).
  3. Public proposal at least 7 days in advance for any single outflow > $50k equivalent.

Emergency operational spending (audit retainers, infra invoices) below $10k is whitelisted to streamline ops; everything else goes through the standard path.

Transparency

A read-only dashboard will publish:

  • Treasury holdings per token, per idea.
  • Cumulative protocol fees collected.
  • Cumulative slash cuts captured.
  • Pending timelock proposals with countdown.
  • Multisig signer set and recent activity.

Source: the on-chain events from BondingEscrow, ForumExecutor, FeeRouter, and the Safe. No private data — the protocol is open by design.

Last updated on
TokenomicsRoadmap