Over the past decade, the structural design of Web3 projects has been highly "avoidance-oriented." From overseas funds to foundations, DAO governance, and multi-location registration, these structures not only meet the considerations of governance optimization and efficiency, but also successfully serve as a tactical response to regulatory uncertainty, ensuring that Web3 project parties can maintain control over the projects while building a gray buffer zone that can be operated and withdrawn.
However, in the past two years, this type of strategic structural design has become ineffective.
Regulators in major jurisdictions around the world, such as the US SEC, CFTC, Hong Kong SFC, and Singapore MAS, have gradually begun to shift from "observing the form of the structure" to "penetrating the substance of control." The new DTSP regulations are one of the clear signals: it is not what you register, but how you operate, who is in charge, and where the money flows.
Therefore, Portal Labs will divide this article into two parts, disassembling the five most common "high-risk" structures one by one from the perspective of organizational type and operating model, and combining them with real-life regulatory cases to help Web3 project parties identify design blind spots that seem safe but are actually minefields.
The "false neutrality, real dominance" foundation structure
In the past period of time, many project parties have packaged token issuance and governance structures as "led by foundations" in order to evade regulatory responsibilities. These foundations are often registered in Cayman, Singapore, and Switzerland. On the surface, they operate independently, but in fact, the project founding team still controls the code permissions, capital flows, and even governance processes.
However, as supervision gradually shifts to the principle of "control penetration", such structures are becoming the focus of scrutiny. Once the regulator determines that the foundation does not have "substantial independence", the project founder may be regarded as the actual issuer or operator of the Token, and the securities law or illegal fundraising rules will apply. The basis for this judgment does not come from the place of registration or the text of the document, but from "who can control the decision and who is promoting circulation."
In 2023, Synthetix's foundation structure adjustment is a typical example. Its original foundation was originally registered in Singapore, but due to the risk of Australian tax and regulatory penetration, Synthetix took the initiative to liquidate the foundation in early 2023, returned the governance structure to DAO, and established a special legal entity to manage some core functions. This structural adjustment is considered a direct response to the "foundation neutrality crisis."
Another more representative case is Terra (LUNA). Although Terraform Labs once claimed that the reserve assets were independently managed by Luna Foundation Guard (LFG), it was later discovered that the foundation was completely controlled by Do Kwon's team. In the US SEC's allegations, LFG failed to constitute an effective legal isolation barrier, and Do Kwon was still held accountable as the actual issuer.
Singapore's MAS has clearly stated in the DTSP framework that it does not accept a foundation structure where "no personnel are present". Only foundations with actual operational capabilities and independent governance mechanisms can exist as legal isolation tools. Therefore, the foundation is not a "shell of exemption from liability". If the project party still retains core authority, the foundation will be regarded as a structural shield rather than responsibility isolation. Instead of building a false neutral structure, it is better to plan an operating structure with clear responsibilities in the early stage, which is more resilient.
DAO governance is a hollow shell
Decentralized governance was originally a key mechanism used by Web3 projects to break the traditional single point of control and achieve decentralized power and responsibilities. However, in actual operation, a large number of DAO governance structures have become seriously "empty shells", for example, proposals are unilaterally initiated by the project team, voting is controlled by internal control wallets, the approval rate is close to 100%, and community voting has become a ritualistic action.
This governance model of "decentralized narrative packaging + centralized execution and control" is becoming a new target for regulators to penetrate. Once a project is subject to legal prosecution, if the DAO cannot prove that it has substantive governance capabilities and the process is open and transparent, the regulator will directly regard the project party as the actual controller, rather than the "product of community consensus" that is exempt from liability. The so-called "DAO co-governance" will become reverse evidence, highlighting the intention to evade.
In 2022, the US CFTC sued Ooki DAO. For the first time, the regulator filed a lawsuit against DAO itself, clearly stating that it "is not exempt from liability due to its technical structure." In this case, although the project party has handed over the operating authority to the DAO governance contract, all major proposals were initiated and promoted by the former operator, and the voting mechanism was highly centralized. In the end, the CFTC named the former team members and Ooki DAO itself as defendants and identified it as an "illegal derivatives trading platform."
The biggest impact of this case is that it points out that DAO cannot naturally assume the function of responsibility isolation. Only when the governance structure has real distributed decision-making capabilities can supervision recognize its independence.
In addition, the US SEC and CFTC have pointed out in different documents that they will focus on whether DAO has "governance substance" and "interest concentration", and will no longer accept the empty shell governance claim based solely on "on-chain voting contracts". Therefore, DAO is not a liability insurance. If the governance process cannot operate independently and the governance power is actually still concentrated in the original team, then "decentralization" will not constitute a legal transfer of responsibility. A truly resilient governance structure should achieve power transparency and checks and balances from rule design, voting mechanism to actual implementation.
Structure is just the beginning, operation is the key
The compliance challenge of Web3 projects has never been "whether there is a structure" but "whether the structure is truly operational and whether the rights and responsibilities are clearly identifiable." Foundations and DAOs, the two organizational forms most often regarded by project parties as "compliance protection layers," are often precisely the entry points for risk exposure in the eyes of regulators.
In the next article, Portal Labs will continue to dismantle the remaining three high-risk structures, from "service outsourcing", "multi-location registration" to "on-chain release", and further analyze the compliance blind spots that are most easily overlooked at the operational level.
Don’t let what you think is “avoidance” become “intentional” in the eyes of regulators.
