ERC-2767 — Contract Ownership Governance

Back to Account & Authentication

ERC-2767: Contract Ownership Governance

ERC-2767 standardises DAO-style ownership transfer on top of ERC-173. Where ERC-173 lets the current owner unilaterally hand off control with transferOwnership, ERC-2767 routes ownership changes through a governance contract whose vote tallies replace single-key authority. Used by:

• DAO-controlled token contracts — governance votes can rotate the treasury / minter / upgrader address.
• Multi-stakeholder protocols — investor + team + community multisigs collectively own contracts.
• Time-locked transfers — proposed ownership changes wait through a governance delay before execution.

The standard is interface-only: it defines what a governance contract exposes so any ERC-173-aware tool can recognise governance-mediated ownership without per-DAO integration.

Required Interface

interface IERC2767 {
    /// Returns the address that has authority over the governed contract.
    /// Tools call this instead of `owner()` when the governance contract
    /// holds the ERC-173 owner role.
    function executor() external view returns (address);

    /// Returns the contract that hosts the governance logic.
    function governance() external view returns (address);

    /// Returns true if `account` is allowed to act as the executor for
    /// the current proposal/state. Tools use this for UI gating.
    function isAuthorisedExecutor(address account) external view returns (bool);
}

The pattern: a single governance contract holds the ERC-173 owner role across all governed contracts; the governance contract internally runs proposals, vote tallies, time-locks, etc., and exposes executor() as the address allowed to execute the latest passed proposal.

Neo Equivalent: Governance Contract as Owner + Manifest Permission

The Neo port maps cleanly: a governance contract holds the Owner/Admin role of governed contracts; calls from the governance contract pass Runtime.CheckWitness(governance) because the governance contract is the calling script. NEP-22 contract updates (redeploys) gate on the same governance check.

[DisplayName("GovernedContract")]
[ContractPermission("*", "*")]
public class GovernedContract : SmartContract
{
    private const byte Prefix_Governance = 0x01;

    public static UInt160 GetOwner()
        => (UInt160)Storage.Get(Storage.CurrentContext, new byte[] { Prefix_Governance });

    public static UInt160 Executor()  // ERC-2767 canonical entry
        => (UInt160)Contract.Call(GetOwner(), "currentExecutor", CallFlags.ReadOnly);

    [Safe]
    public static UInt160 Governance() => GetOwner();

    public static void AdminOp(/* args */)
    {
        // Permits direct call from the governance contract OR the executor
        // address it currently delegates to.
        var executor = Executor();
        if (!Runtime.CheckWitness(GetOwner()) && !Runtime.CheckWitness(executor))
            throw new Exception("ERC2767:NotAuthorised");
        // ... admin operation ...
    }
}

ERC-2767 (Ethereum)	Neo Equivalent	Notes
executor()	Executor() returning the current allowed-executor account	May be the governance contract itself or a time-locked delegate
governance()	Governance() returning the governance contract hash	The address that holds the owner role
isAuthorisedExecutor(account)	IsAuthorisedExecutor(account) view	Bool predicate for UI gating
Governance contract holds ERC-173 owner	Governance contract is the stored Owner	NEP-22 update-permission ties to it
Time-lock + proposal flows	Application-specific governance impl	Same shape as Compound Governor / OZ Governor on Ethereum

Composition

• ERC-173 — base ownership. ERC-2767 strictly extends.
• ERC-5313 — light ownership. A governance-owned contract typically exposes getOwner (5313) so off-chain tools see the governance address; ERC-2767 adds executor / governance / isAuthorisedExecutor for richer UI.
• ERC-7656 — generalised contract-linked services. Governance services for a contract fit cleanly under the contract-linked-services umbrella.
• ERC-2535 — diamond proxy. Diamond cuts (adding/removing facets) typically require governance approval; ERC-2767 names the gate.

Migration Notes

For Solidity DAOs porting governance:

1. Replace per-contract ad-hoc onlyGovernance modifiers with a single Runtime.CheckWitness(GetOwner()) against the stored governance address.
2. Implement Executor() / Governance() / IsAuthorisedExecutor(...) on each governed contract for ERC-2767 compatibility.
3. Set the governance contract as the manifest's allowed update caller via NEP-22.
4. The governance contract itself follows whatever proposal / voting logic you choose (see Compound Governor port, OZ Governor port).

The Neo idiom is delegate the witness, not the call: governance contract signs the witness as one of the transaction's signers, and the governed contract's CheckWitness(governance) succeeds. No need for an "execute on behalf of" indirection — governance signing IS the execution.

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.20;

interface IGovernance {
    function currentExecutor() external view returns (address);
    function isAuthorisedExecutor(address account) external view returns (bool);
}

contract GovernedContract {
    address public governance;
    modifier onlyAuthorised() {
        require(IGovernance(governance).isAuthorisedExecutor(msg.sender), "not authorised");
        _;
    }

    constructor(address _governance) { governance = _governance; }

    function executor()  external view returns (address) { return IGovernance(governance).currentExecutor(); }
    function governance_() external view returns (address) { return governance; }
    function isAuthorisedExecutor(address account) external view returns (bool) {
        return IGovernance(governance).isAuthorisedExecutor(account);
    }

    function setSomething(uint256 newValue) external onlyAuthorised { /* ... */ }
}

contract SimpleGovernance is IGovernance {
    address public proposer;
    address public currentExecutor;
    uint256 public unlockAt;

    constructor() { proposer = msg.sender; }

    function propose(address newExecutor, uint256 delaySeconds) external {
        require(msg.sender == proposer, "proposer only");
        currentExecutor = newExecutor;
        unlockAt        = block.timestamp + delaySeconds;
    }

    function isAuthorisedExecutor(address account) external view returns (bool) {
        return account == currentExecutor && block.timestamp >= unlockAt;
    }
}

using System;
using System.ComponentModel;
using System.Numerics;
using Neo;
using Neo.SmartContract.Framework;
using Neo.SmartContract.Framework.Attributes;
using Neo.SmartContract.Framework.Native;
using Neo.SmartContract.Framework.Services;

namespace R3E.Examples;

// Governed contract — owned by a governance contract, exposes ERC-2767 surface.
[DisplayName("GovernedContract")]
[ContractPermission("*", "*")]
public class GovernedContract : SmartContract
{
    private const byte Prefix_Governance = 0x01;
    private const byte Prefix_Value      = 0x02;

    [DisplayName("_deploy")]
    public static void Deploy(object data, bool update)
    {
        if (update) return;
        Storage.Put(Storage.CurrentContext, new byte[] { Prefix_Governance }, (UInt160)data);
    }

    public static UInt160 Governance()
        => (UInt160)Storage.Get(Storage.CurrentContext, new byte[] { Prefix_Governance });

    public static UInt160 Executor()
        => (UInt160)Contract.Call(Governance(), "currentExecutor", CallFlags.ReadOnly);

    public static bool IsAuthorisedExecutor(UInt160 account)
        => (bool)Contract.Call(Governance(), "isAuthorisedExecutor", CallFlags.ReadOnly, account);

    public static void SetValue(BigInteger newValue)
    {
        if (!IsAuthorisedExecutor(Runtime.CallingScriptHash))
            throw new Exception("ERC2767:NotAuthorised");
        Storage.Put(Storage.CurrentContext, new byte[] { Prefix_Value }, newValue);
    }

    public static BigInteger GetValue()
        => (BigInteger)(Storage.Get(Storage.CurrentContext, new byte[] { Prefix_Value }) ?? ByteString.Empty);
}

// Simple time-locked governance — illustrative.
[DisplayName("TimelockGovernance")]
[ContractPermission("*", "*")]
public class TimelockGovernance : SmartContract
{
    private const byte Prefix_Proposer = 0x01;
    private const byte Prefix_Executor = 0x02;
    private const byte Prefix_UnlockAt = 0x03;

    [DisplayName("_deploy")]
    public static void Deploy(object data, bool update)
    {
        if (update) return;
        Storage.Put(Storage.CurrentContext, new byte[] { Prefix_Proposer }, (UInt160)data);
    }

    public static void Propose(UInt160 newExecutor, BigInteger delaySeconds)
    {
        var proposer = (UInt160)Storage.Get(Storage.CurrentContext, new byte[] { Prefix_Proposer });
        if (!Runtime.CheckWitness(proposer)) throw new Exception("ERC2767:NotProposer");
        Storage.Put(Storage.CurrentContext, new byte[] { Prefix_Executor }, newExecutor);
        Storage.Put(Storage.CurrentContext, new byte[] { Prefix_UnlockAt }, Runtime.Time + delaySeconds * 1000);
    }

    public static UInt160 CurrentExecutor()
        => (UInt160)Storage.Get(Storage.CurrentContext, new byte[] { Prefix_Executor });

    public static bool IsAuthorisedExecutor(UInt160 account)
    {
        var unlockAt = (BigInteger)(Storage.Get(Storage.CurrentContext, new byte[] { Prefix_UnlockAt }) ?? ByteString.Empty);
        return account.Equals(CurrentExecutor()) && Runtime.Time >= unlockAt;
    }
}

Why Governance Contracts Beat Multisig Hot-keys

A multisig hot-key (e.g. 3-of-5) requires those 5 keys to be online, audited, and key-rotated. A governance contract delegates the authorization to a transparent, on-chain process — token holders vote, proposals time-lock, the result is reproducible from chain state. ERC-2767's only contribution is naming the interface so off-chain tools (block explorers, wallets, multisig dashboards) recognise this pattern uniformly.