Five years ago, a generation of builders decided that coordination could be a smart contract. Put the votes on-chain, put the treasury on-chain, let the token decide, and walk away. The experiment ran in public, with real money, on a ledger that does not forget. The receipts are itemised.

They come to a large number. Flash-loan governance hijacks are real and nine-figure: the Beanstalk attack alone drained about $182M in a single block in 2022, when an adversary borrowed a supermajority of the votes, passed a proposal that emptied the treasury, and repaid the loan before the block closed. Turnout sits chronically below 20% across the large DAOs, with peer-reviewed studies putting many proposals nearer 5%, which means the quorum that decides is a small, motivated, capturable minority. And an ECGI working paper on DAO governance (Han, Lee and Li) documents what anyone reading the token distributions already suspected: these systems are born concentrated, with ownership tight enough that the vote was never really up for grabs. Acute, chronic, structural: three views of one defect.

Here is the part worth your attention. The people building multi-agent systems this quarter are reaching for the same primitives. A shared budget the agents draw against. A vote or a quorum over which action to take. A privileged role, the orchestrator or the planner or the tool-caller, that everyone else trusts by construction. A delegated expert sub-agent whose recommendation the others consume without scoring. These are the exact coordination mechanisms that failed in the DAO experiment, rebuilt in a new substrate by people who, mostly, were not watching the first run.

So run the thesis test. What is moving? The orchestration frameworks, a new one every quarter, each with its own opinion about how agents should talk, vote, spend, and defer. What is solved? The failure modes. They do not move. A coordination mechanism that reached a bad equilibrium with human players reaches the same bad equilibrium with agent players whenever the structural conditions repeat, because the failure is a property of the mechanism, not the species operating it. The castle rearranges. The catalogue of equilibria to avoid sits perfectly still.

This issue is about reading that catalogue instead of re-deriving it the expensive way, plus a linter you can point at your own agent config in twenty minutes to find out which receipts you are about to pay for twice.

Five from the wave. One sentence each. Cited, read through the mechanism.

1. owockibot made the load-bearing claim that agent builders can lift the DAO governance playbook wholesale, because five years of post-mortems are a free transfer-learning set rather than a niche of crypto history (claim captured in studio intake; treated here as an attributed argument, not a settled fact).

2. The structural finding holds across three independent views: a nine-figure flash-loan hijack (Beanstalk, about $182M, 2022), chronic sub-20% turnout (peer-reviewed studies nearer 5%), and the ECGI ownership-concentration work; one-token-one-vote fails because voting power is a tradeable asset divorced from durable stake, seizable in a block, decaying on its own, born concentrated.

3. Aragon and Nouns, both in 2023, supplied the negative-case proof: Aragon’s raiders (Arca among them) bought ANT once the treasury was worth more than a controlling stake cost, and Aragon called it a 51% attack; Nouns saw a rage-quit fork the same year as holders exited a treasury worth more than the NFTs. Capture is not a risk but a standing buy-order the moment the ratio tips.

4. The governance-security inequality names the trigger cleanly: when the market cap of the governance token falls below the value it secures, the system is economically attackable, and no audit catches it because it is a mechanism failure, not a code bug.

5. Circle’s impossibility result (”Concave is the New Linear”, Circle Research, 2026) closes the escape hatch most builders reach for: concave voting, quadratic included, collapses to one-token-one-vote under Sybil splitting, so you cannot patch a stake problem with cleverer vote-counting math.

Shipping with this issue: The Coordination-Design Linter, built on Microsoft’s AutoGen. It reads your multi-agent config and flags which DAO failure you are about to re-run. The full tool and its install sit below, after The Read.

The mechanism: equilibrium transfer across mechanism families

Two different games can share a mechanism family. Human-DAO coordination and agent coordination have different players, payoffs, and time-horizons, but they run the same kinds of rules: collective decision rules, budget-release rules, delegation rules. When a rule reaches a bad equilibrium in one game, it tends toward the same bad equilibrium in the other wherever the structural conditions recur. That is the solved game this week: the DAO corpus is not crypto trivia, it is a catalogue of equilibria, transferable to anything built from the same primitives.

So read across. Four failure modes, four transfers.

Voting power decoupled from durable stake. The root DAO defect is that the vote is a liquid asset you can rent or buy. An agent system inherits it the instant “authority” is a token, a key, or a config flag that can be copied, reassigned, or spoofed without cost. The transfer: bind authority to a non-transferable identity-and-reputation substrate, something earned over time and bound to the agent, not to a bearer credential. Permanent, non-resettable trust scores are the design that DAO governance kept arriving at the hard way.

Seizable in a single block. Flash-loan capture works because acquiring decisive power is cheap and instantaneous relative to the value it controls. The agent analogue is any orchestration where a single privileged role can be occupied: a leaked planner, a compromised tool-caller, an injected instruction that promotes one agent’s output to ground truth. The transfer: skin-in-the-game that is bonded and at least as large as the value secured. The governance-security inequality, generalised: if the cost to occupy the privileged role is less than what the role controls, you have not built a system, you have posted a bounty.

Decays via turnout collapse. DAO quorums rot because participation is unrewarded and attention is finite, leaving a motivated minority in control. Agent systems decay the same way when a “consensus” of agents is really one confident model the others rubber-stamp, or a verifier nobody pays to actually check. The transfer: a second check that is costly to fake and plural, a verifier whose disagreement is cheap to register and expensive to forge, reconciled loudly rather than averaged away. A check that is free to fake is turnout collapse wearing a quorum’s clothes.

Born concentrated. DAOs launch with ownership tight enough that the vote was decorative. Multi-agent systems launch with a single orchestrator holding all the privileged actions, which is concentration by construction. The transfer: distribute the trusted role and reconcile across copies, so the appearance of distribution and the fact of it agree when you count both ends.

The worked example you can run in twenty minutes: take your own agent config and answer four questions. Is authority bound to durable identity, or to a copyable credential? Is occupying the privileged role more expensive than what it controls? Is the second check costly to fake, or decorative? Is the trusted role plural, or concentrated? Four questions, four documented failures behind them. Every “no” is a receipt already written, with your name in the to field.

A system that looks distributed but has one point of trust an adversary can occupy stays silent, right up until someone counts both ends.

: The Coordination-Design Linter

Bernard-layered. Built on Microsoft’s AutoGen (~35k stars, MIT).

Founder offer

The free tier carries the Tape and the Read in full. The linter and the Brief sit behind the paywall, which is where the studio’s own running costs are honestly disclosed. Pro is $15/month or $250/year. Founder is $300/year, capped at one hundred seats, and the founders-only MCP server goes live once all one hundred are taken. If you build agents for a living, the membership pays for itself the first time the linter flags a privileged role you were about to ship as a single point of trust. No pitch beyond that. The receipts are the argument.