A working paper published by the European Central Bank on March 26 is forcing a hard conversation about what “decentralized” actually means in practice. The study, titled “Who to regulate? Identifying actors within DeFi governance,” examines four of DeFi’s most recognized protocols and arrives at a finding that sits uncomfortably with years of industry rhetoric.
DeFi governance is not nearly as distributed as advertised. Across Aave, MakerDAO, Ampleforth, and Uniswap, the top 100 governance token holders collectively control more than 80% of total supply. That figure doesn’t just hint at concentration. It describes something closer to oligarchy.
The authors, ECB economists Alexandra Born, Zakaria Gati, Claudia Lambert, Mahvish Naeem, and Antonella Pellicani, are explicit about the policy stakes. Identifying who actually controls these protocols is a prerequisite for regulating them. And right now, based on public data alone, that identification is often impossible.
The 80% Problem Nobody Wanted to Name
The token distribution data cuts through a lot of noise. While governance tokens are technically distributed across a large number of unique blockchain addresses, a small number of entities holds a majority of the supply. Protocols themselves or exchanges account for a significant chunk of those top holdings. In some cases the tokens sit with founders and developers. In others, the treasury. The paper cannot always distinguish between those two, and that ambiguity matters enormously for accountability.
Voting power is even tighter than ownership suggests, with top delegates controlling 96% in Ampleforth, 66% in MakerDAO, and 52% in Uniswap. These aren’t fringe protocols. These are the protocols that shaped the entire DeFi playbook.
Binance keeps appearing in the data. A large share of governance tokens could be linked either to the protocols themselves or to centralized and decentralized exchanges, with Binance identified as the largest centralized exchange holder across all four protocols. Whether Binance votes those tokens on its own behalf or on behalf of customers is another question the on-chain data simply cannot answer.
Delegates Run the Show
The paper’s findings on voting behavior deserve separate attention. Token holders, in theory, govern these protocols. In practice, they mostly don’t. Smaller holders routinely delegate their voting power upward, concentrating decision-making in the hands of a few active delegates.
About one-third of the most active voters cannot be publicly identified at all. Among those that can be traced, the largest groups are individuals and Web3 companies, followed by university blockchain societies and venture capital firms.
That’s a striking picture. The entities shaping critical protocol decisions, things like risk parameters, collateral requirements, and fee structures, are largely pseudonymous. You can trace a wallet address. You cannot always attach a name, a firm, or a jurisdiction to it.
The ECB working paper notes that the concentration of governance power remains stable over time, describing what it finds as “form over substance.” This isn’t a transition phase or an early-stage growing pain. It appears to be a structural feature baked into how these systems actually operate.
What This Means for MiCA
The EU’s Markets in Crypto-Assets regulation carves out an exemption for services provided in a “fully decentralised manner without any intermediary.” That carve-out has been the industry’s primary legal shield in Europe. The ECB paper pulls at that shield directly.
If a small group of token holders or a core development team controls protocol upgrades, treasury allocations, or governance outcomes, the legal case for calling the organization decentralized becomes very thin. And under MiCA, thin cases don’t qualify for exemptions.
MiCA reached full implementation across the EU by late 2024. The final authorization deadline for crypto-asset service providers sits at July 1, 2026, roughly three months away. Any DeFi protocol determined not to be “fully decentralized” would need to either restructure or come into compliance as a regulated entity. The compliance path involves licensing, capital requirements, and disclosure obligations that most DeFi protocols have never built infrastructure to handle.
Because many protocols retain identifiable points of control, including developers, token treasuries, and exchange listings, the ECB paper suggests these could serve as practical anchors for oversight going forward.
The Accountability Gap
The difficulty in identifying holders and voters using public data makes it hard to rely on the regulatory anchor points most commonly proposed in policy discussions. Governance token holders, developers, and centralized exchanges have all been put forward as natural entry points. The paper walks through why each one is harder to operationalize than it sounds.
Governance token holders cannot always be tied to real-world identities. Developers may have legally distanced themselves from a protocol after launch. Exchanges hold tokens on behalf of customers without necessarily voting them. None of those three entry points is clean, and the appropriate anchor may differ from one protocol to the next.
The absence of fiduciary duties, disclosure requirements, and clear legal accountability sets DeFi apart from regulated markets and raises agency problems similar to those seen in corporate governance, only without the usual safeguards. There’s no board. No registrar. No CEO to subpoena. The ECB paper makes clear that regulators cannot indefinitely work around that gap.
Aave’s Own Founder Agrees Governance Is Broken
The paper lands alongside a candid admission from inside the industry itself. Aave founder Stani Kulechov recently described DAO governance as “extraordinarily difficult” to operate, pointing to slow decision-making, multiple rounds of voting, and internal politics that bog down progress. That kind of internal critique matters. It signals that even the architects of these systems recognize the structural problems. The ECB paper names them with data.
The paper stops short of prescribing specific rules. But its direction is clear. Pseudonymous governance structures, concentrated token distribution, and unverifiable delegate identities are not design choices regulators can work around indefinitely. Either DeFi governance becomes traceable, or European regulators will treat these protocols as what the data already suggests: centralized systems operating behind decentralized branding.
