The Evolution and Risks of Web3 Project Structure Design

In the past decade, the structural design of Web3 projects has mainly been risk-averse. From overseas funds to foundations, decentralized autonomous organization (DAO) governance, and registrations in multiple locations, these structures not only meet the needs for governance optimization and efficiency but also serve as strategic choices to cope with regulatory uncertainties. These practices allow project parties to maintain control over the project while building a gray area that is both operational and can be exited at any time.

However, in the past two years, these strategic structural designs have gradually lost their effectiveness. Major global regulators, such as the U.S. Securities and Exchange Commission (SEC), the Commodity Futures Trading Commission (CFTC), the Securities and Futures Commission of Hong Kong (SFC), and the Monetary Authority of Singapore (MAS), have begun to shift their focus from superficial structures to a deeper examination of actual control situations. The new rules for Digital Payment Token (DPT) are a clear signal: the regulatory focus is no longer on registration forms, but on actual operational methods, the identities of dominant players, and the flow of funds.

In this context, we will analyze the five most common "high-risk" structures, combined with actual regulatory cases, to help Web3 project parties identify design blind spots that seem safe but actually harbor risks.

"Surface Neutrality, Actual Dominance" Foundation Structure

Many project teams in the past often used foundation structures to evade regulatory responsibilities, packaging the token issuance and governance process as "foundation-led". These foundations are usually registered in places like the Cayman Islands, Singapore, or Switzerland, and appear to operate independently on the surface, but in reality, they are still controlled by the founding team of the project, who hold the core authority, control the flow of funds, and govern the processes.

As regulatory agencies shift towards the "substantive control" principle, such structures are becoming the focus of scrutiny. If regulatory agencies determine that a foundation lacks substantive independence, project founders may be regarded as the actual issuers or operators of the tokens, thereby facing the constraints of securities laws or illegal fundraising-related rules. This judgment is no longer based on the place of registration or the content of documents, but rather depends on actual decision-making control and circulation promoters.

In 2023, the restructuring of the Synthetix foundation is a typical case. The project was originally registered as a foundation in Singapore, but due to the risk of Australian tax and regulatory penetration, Synthetix voluntarily liquidated the foundation in early 2023, returning the governance structure to a DAO and establishing a dedicated entity to manage core functions. This adjustment is seen as a direct response to the "crisis of neutrality in foundations."

Another more representative case is Terra (LUNA). Although Terraform Labs claimed that the Luna Foundation Guard (LFG) independently managed reserve assets, it was later found that the foundation was entirely controlled by the project team. In the SEC's allegations in the United States, LFG failed to establish an effective legal barrier, and the project leaders were still held accountable as the actual issuers.

The Monetary Authority of Singapore (MAS) clearly stated in the DTSP framework: the "no-persons-present" foundation structure is not accepted. Only foundations with actual operational capabilities and independent governance mechanisms may serve as effective legal isolation tools. Therefore, a foundation is not merely an "exemption shell"; if the project party retains core powers, the foundation will be regarded as a structural disguise rather than a means of liability isolation. In contrast, an operational structure with clearly defined responsibilities planned early on may actually be more resilient.

The "Formalization" Issue of DAO Governance

Decentralized governance was originally a key mechanism for Web3 projects to break traditional single-point control and achieve the dispersion of rights and responsibilities. However, in practice, many DAO governance structures have become severely "hollowed out". For example, proposals are often initiated unilaterally by the project team, voting is dominated by wallets controlled internally, with approval rates approaching 100%, and community voting has become a formal procedure.

This governance model of "decentralized narrative packaging + centralized actual control" is becoming a new target of focus for regulatory agencies. Once a project faces legal accountability, if the DAO cannot prove it has substantive governance capabilities and process transparency, regulators may directly view the project parties as actual controllers, rather than as a "community consensus product" that is exempt from liability. The so-called "DAO co-governance" may become reverse evidence, highlighting the intention to evade regulation.

In 2022, in the case where the CFTC of the United States sued Ooki DAO, the regulatory agency initiated a lawsuit directly against the DAO itself for the first time, clearly stating that the DAO "is not exempt from liability due to its technical structure." In this case, although the project team had transferred operational authority to the DAO governance contract, all major proposals were initiated and driven by the original operating team, and the voting mechanism was highly centralized. Ultimately, the CFTC listed former team members alongside Ooki DAO as defendants, deeming it an "illegal derivatives trading platform."

The significant implication of this case is that it demonstrates that a DAO cannot automatically assume the function of liability separation. Only when the governance structure possesses genuine distributed decision-making capabilities may regulators recognize its independence.

The U.S. SEC and CFTC have both indicated in different documents that they will focus on whether DAOs have "substantive governance" and "concentration of interests," rather than merely accepting formal governance claims based on "on-chain voting contracts." Therefore, DAOs are not exempt from liability. If the governance process cannot operate independently and governance power remains concentrated in the hands of the original team, then "decentralization" will not constitute a legal transfer of responsibility. A truly resilient governance structure should achieve power transparency and multi-party checks and balances at every stage, from rule design and voting mechanisms to actual execution.

Structural design is just the starting point, operation is the key.

The compliance challenges of Web3 projects have never been just about "whether a structure has been built"; more importantly, it is about "whether the structure operates genuinely and whether responsibilities and rights are clear and distinguishable." Foundations and DAOs, which are often regarded by project parties as "compliance protective layers," frequently become points of risk exposure from a regulatory perspective.

In the next section, we will continue to analyze the remaining three high-risk structures, including "service outsourcing", "multiple registrations", and "on-chain publishing", further exploring the compliance blind spots that are most easily overlooked at the operational level.

It is important not to let what you consider a "evasion" strategy become a "deliberate" act in the eyes of regulators.