At this point, most DeFi protocols at least brand themselves as a Decentralized Autonomous Organization, or DAO. This form of on-chain governance places operational control of the protocol in the hands of token holders, rather than a centralized body. If incorrectly implemented, DAOs can be vulnerable to hostile takeover by malicious actors, aka a governance attack.
Decentralized Governance
Implementation and extent of on-chain governance varies widely. A fully-decentralized DAO will have all the tools to allow the token holders to operate the ecosystem without any core team intervention. Many modern DAOs grant token holders control over certain operational parameters, but a core team retains more control over the protocol at an architectural and technical level.
Some DAOs are essentially a representative democracy with extra steps, where your governance vote does little more than say “Devs need to do this”, with no on-chain power to enact anything.
The best way to structure governance in general is a wicked problem. Humans have been working on it for millennia with varying success. The particular issue of governance in crypto is no more solved than the general problem, and carries its own particular set of quirks and risks.
Illustration of Governance Attacks
Let’s construct a hypothetical. Say you live in a small town. Whenever something is happening that affects the community, you get together in the town hall. The interested parties talk it out, propose solutions, and the whole town votes. This vote occurs by the rules in the town charter: a simple majority wins. Life is good. Except for that pesky ACME Chemical Company, which wants to level the whole town and build a fertilizer plant on the land.
ACME has offered to buy the town from the locals at a fair market price. You hold a town hall meeting and talk things over. No one is particularly interested in selling. The old carpenter two rows from the back built this town hall with his own two hands, after all. You take a vote, and it’s clear: no sale.
ACME’s representative does not take kindly to this rejection, but they depart nonetheless. A few weeks later, strangers start to arrive in town. They settle in peaceably enough, buy little houses within city limits, and bring a plate of cookies to the neighbors. The town is growing! Then, ACME’s second proposal arrives.
It’s hard to fit everyone in the town hall this time, but you manage somehow. The newcomers are silent during the short discussion, and the sentiment is clear: we’re still not selling. You take a vote by show of hands – and every newcomer votes to sell the town. Stunned, you count the votes, and they win by a narrow margin. The rules are the rules, and you have no choice but to pack your belongings and move off the family farm as the bulldozers roll down Main Street.
Governance Attacks In Crypto
This illustration hopefully conveys the essence of a governance attack: someone exploiting the rules to execute something which is not desired by the honest citizens. The illustration is obviously facetious. Everyone in the town would know something was up, there would be lawsuits, legal proceedings, etc.
In crypto, there are none of these protections. If the rules are not set up wisely, they can be exploited with no way for the honest citizens to recover. Proposals can be set up and votes forced with no warning, governance tokens can be bought or borrowed in seconds, and the results of passed proposals can be immediate and permanent.
Build Finance experienced a governance attack on Feb. 14th, 2022, which saw an attacker gain complete control of the protocol. They then proceeded to drain the treasury, infinite mint the native token, and drain the liquidity pools.
How could something like this happen? The Build finance team detailed the attack as follows: the attacker simply created a malicious proposal in the on-chain governance system to give himself admin control over the protocol, and rushed it through. Not enough countervotes could be assembled in time to stop it. Once he had admin control, he could wreak as much havoc as he wanted, minting tokens at will and transferring the treasury to his pockets.
If a protocol’s on-chain governance is poorly implemented, this could happen to it at any time. A few simple structural changes would have prevented this outcome. The Build Finance attack actually violates 3 out of 5 common hazards I identified in a previous post: not using multisigs, not using timelocks, and exposed sensitive functions.
Properly Designed Governance
The Compound protocol is an industry standard for on-chain governance. Their Governor contracts are widely forked, and the general flow of their governance is resistant to many of the common governance attack vectors.
The exact best implementation of governance is still a work in progress. There are tradeoffs and risks to every model. In general, however, on-chain governance has to have a few key properties to not present a security weakness.
Preventing hostile takeover should not require constant vigilance. If your governance model relies on every honest citizen instantly rising up and voting against a malicious vote, it is bound to fail. Voting periods need to be long enough to allow word to spread and voters to assemble. Discord bots or other notification routes should be employed.
Governance should not have arbitrary access to all protocol functions. If whoever controls the governance can mint tokens, drain treasuries, or change admins, the protocol is at unlimited risk if any bad proposals are passed.
Governance structures should not be brittle. Your DAO should not crumple if a single bad proposal is passed. If there are no checks and balances, honest actors have to have a 100% defense rate against bad proposals. Emergency multisigs, protocol pausing, and limited scope of governance all protect against this. Otherwise, an attacker only needs to succeed once and then the fox is in the henhouse.
What Can You Do?
If you invest in a DAO-governed protocol, you should be aware of its governance structure and the unique risks that may present. Bad governance can expose you to total loss just as much as a smart contract bug. Auditors generally don’t cover whether the governance system is well-conceived or not.
You should also participate in governance at some level. Even if you don’t vote or debate, you should at minimum be aware of what proposals are active, and have means to receive notifications of new ones.
Finally, be aware of the risks posed by tools such as flash loans and borrowing. Not every protocol will be vulnerable to a flash loan, but some may be. Others may simply borrow or buy enough tokens to sway the protocol’s vote at the last minute.
Be vigilant, and do your due diligence. Stay safe out there, anon.
