The ZKsync governance system demonstrates how token governance can be reimagined for decentralized ecosystems. Instead of token holders managing a treasury of minted tokens with unknown custody risks, the ZKsync Token Assembly (community of Delegates & delegators) manages minting rights - aiming to reduce custody uncertainty, increase recipient agency and enhance security.

The components of this model were deliberately incorporated into the ZKsync token and governance design to proactively address the token custody management and operational oversight challenges observed across other decentralized ecosystems. It also aligns token governance operations with the “don’t be evil” vs “can’t be evil” narrative in the ZK Credo.

This post focuses on the key problems this token governance model helps solve, and provides examples of how they can be used to manage governance-approved token programs.

Token Mechanics Foundations

Unlike other ecosystems, not all ZK tokens were minted at launch (TGE). Instead, 29.3% of the total ZK supply was left unminted to be managed by the Token Assembly. The ZKsync token governance system enables the Token Assembly to grant minting rights to administrators of Token Programs. This design aims to remove many of the risks associated with managing a large treasury and instead helps shift the agency of token management to the final token recipient.

Capped minters are simple smart contracts that enable “just-in-time” token minting. Each capped minter has a predefined maximum supply (the cap) that can be minted from it. Governance-approved addresses granted the minter role on a capped minter may mint tokens on demand, up to the encoded cap. It is possible to nest capped minters, creating parent/child relationships of minting source. More details on capped minters, their deployment, and governance-based role assignment are available here.

Capped minters are the core building blocks of Token Mechanics - a modular set of smart contracts that enable rights-based minting and programmatic token distribution aligned with a governance-approved token program. Capped minters can be combined with a variety of types of smart contracts (e.g. streaming or eligibility gating contracts) to enforce custom minting and distribution mechanisms.

Minter Modifiers - or “Minter Mods” - are a set of smart contracts specifically designed to implement specific minting rules or restrictions on minting rights from a capped minter. These components are just a few examples of smart contracts that can be paired with capped minters to create a token mechanic - enabling rights-based autonomous token programs tailored to the requirements of each initiative. You can read more about Minter Mods here.

Capped Minters help remove token custody, increase recipient agency, and enhance security

Capped minters are essential infrastructure for streamlining token program operations, automating funding mechanisms, and ensuring partners and protocol stakeholders can engage with the ZK token with minimal friction or central coordination. This “mint-on-demand” model allows for more flexibility and agency for both admins and final recipients. Below are some specific examples of how token mechanics achieve this.

Remove intermediary minted token custody management

The capped minter framework aims to remove the need for minted token custody management and related risks. In ecosystems where treasuries hold minted tokens, programs must contend with additional concerns such as custody and security. Capped minters instead reframe program management around the assigning and enforcement of minting rights via smart contracts. This approach ensures that minted tokens are received directly by end beneficiaries, minimizing intermediaries and associated risks.

Increase recipient agency

When an address is granted the minter role on a capped minter, the owners of that addresses have the ability to decide when, how much, and to which address to mint (as long as it complies with the cap or other minter mod restrictions). In other ecosystems, tokens are distributed via a transfer and the end recipient has limited onchain agency to determine when to receive minted tokens.

Enhance security

Capped minters allow external parties, such as the Token Assembly and Security Council, to participate as oversight. As the admin of the ZK token contract, the Token Assembly is able to revoke the minter role on any governance approved capped minter by passing another proposal. In emergency or urgent cases, the Security Council (or another trusted body) is able to pause minting from any capped minter they have been granted the pauser role on, for example if an admin multisig on a capped minter or address that has a minter role on a capped minter is compromised.

Token Mechanics help facilitate oversight & increase accountability

When a token program is deployed in other ecosystems, it usually entails transferring a defined amount of minted tokens from a treasury to a multisig controlled by a group of program admins. These admins, who the community is forced to trust, are expected to manage all transfers affiliated with that program including compensation for service providers and distributions for reward or grant recipients.

Token mechanics reduce operational burden and the need for trusted intermediaries by relying on programmatic enforcement built directly into the mechanic design. This creates essential infrastructure for scaling and automating token programs in a more secure and predictable manner.

Enable hard-coded accountability

Management of rights unlocks new layers of hard-coded accountability that treasury and token program management in other ecosystems do not have.

  • The Token Assembly can revoke minting rights from any capped minter in relation to Token Programs at any time. The Token Assembly maintains control of each approved program, and is able to cancel a program at any time without having to rely on admins returning unused funds. For example, if the program is not performing as expected or if there is a fluctuation in markets/token price, the Token Assembly can pass a proposal to revoke the minter role on program capped minters, removing the ability to mint and distribute any further fund from a program capped minter. If a community in another ecosystem wanted to shut down a program, they would have to rely on the program admin to transfers tokens back to the treasury.
  • The Capped Minter V2 contracts introduce a start and end date function, allowing developers to define a specific minting window for each capped minter. This ensures capped minter automatically expires at the end of a program, preventing any minting after a program is complete.
  • Minter mods enable additional layers of accountability by adding additional constraints on minting rights. For example, the Rate limiter mod limits how much ZK can be minted in a given time period from a given capped minter. This assures the community that any party with minting rights cannot mass mint from an assigned capped minter.

Reduce multisig responsibilities & coordination

Even with well-designed and highly automated programs, some level of human oversight will remain necessary. Capped minters and token mechanics aim to substantially reduce the scope and workload of oversight committees.

  • Access, incentive alignment and checks & balances are embedded directly into the design of a token mechanic. Token Mechanics for token programs must deployed before a proposal is submitted onchain, creating greater transparency of token management operations will look like - minimizing risk and enabling trustless coordination.
  • The use of this token governance model can reduce the number of transactions that need to be signed by admin committees. By setting up token mechanics that rely on rights-based access, it enables admin committees to act more as “Veto Councils” rather than execution bodies.

    Example - Self-Claiming Program Rewards: Eligible recipients of a given Token Program are granted a capped minter with a Delay Mod where they can request to mint a monthly token amount - giving the Program Admin time to review & veto if request is disputed.
    • Without mechanic: Admin multisig signs monthly transactions to distribute allocations to eligible recipients. For a 1 year program, that’s 12 transactions.
    • With mechanic: Admin multisig signs 1 transaction to grant minter role on a capped minter with a delay mod, potentially sign transaction to veto request from eligible recipient if not in line with agreed terms.
  • Admin committees can be costly depending on what operational expectations. Lessing the burden on the participating members means creating new ways to reduce overhead costs. Over time, capped minters and minter modifiers can be used to automate budget disbursements:

Examples of Deployed Token Mechanics

Below are examples of token mechanics that were deployed for live token programs.

At this point in time, there is still some level of manual human verification needed to assess eligibility and grant minter roles from child capped minters. This is due to gaps in automated onchain data oracles and verification.

The order in which contracts in each mechanic are deployed vary, account for what minting rights access & restrictions each mechanism is aiming to achieve.

ZIP Audit Reimbursement Program (ZARP):
An audit reimbursement program that reimburses dev teams who successfully submit and pass a ZIP in 2025. Upon submission of the ZIP, the team includes calldata to grant the minter role to a capped minter with the ZK cap equal to the audit cost amount. Audit costs are verified by the Security Council. If the ZIP passes and is executed, the minter role is automatically granted to the capped minter with the audit reimbursement amount. This program also included reimbursement for audits of successfully passed ZIPs in 2025.

ZKsync Prividium Prize Program:
A prize program to accelerate the launch of ZKsync Prividium Chains — interoperable and privacy-preserving institutional blockchains — by rewarding the first 10 production deployments with 10M ZK each.As winners are confirmed by Program Admin, minting rights on one of the 10 child capped minters containing the prize is grant to confirmed winners. To ensure a vested minting of each prize, each child capped minter has a rate limiter restricting winners to mint up to 1M ZK/month.

ZKnomics Staking Pilot Program:
The ZKnomics Staking Pilot Program that funds two pilot program seasons to test staking infrastructure & parameters in preparation for validator staking coming with the deployment of the decentralized sequencer.Each seasonal rewards to be distributed is minted through the corresponding capped minter. The staking infrastructure service provider is granted minting rights on their own capped minter, which they can mint on a monthly basis over the course of the program. This program uses a “global” rate limiter to limit the amount that can be minted across all child capped minters.

Future Possibilities

Governance is at its best when it acts as a catalyst, not a bottleneck. The goal is simple: use governance to flip the switch, then let the infrastructure run seamlessly and autonomously. By leveraging this token mechanic framework, it moves token governance towards a world where programs operate within secure, trustless guardrails - shifting the required human involvement from daily operations to high-level oversight and veto power.

Token mechanics are currently being used to build a foundation of programmatic enforcement, reducing the need for human operational overhead. However, achieving total autonomy is currently a technical frontier; full autonomy is currently constrained by the limitations of onchain oracles and the difficulty of capturing non-deterministic off-chain data.

As onchain verification and oracle capabilities continue to mature, so will the autonomy of these programs. The ZKsync Governance Team values the community’s input as mechanics are refined for different use cases. Please share your feedback and proposals with the ZKsync Governance Team on the forum.