This content was originally published in June 2024, and has since been updated for publication in December 2024.
Decentralized Autonomous Organizations (DAOs) have become a significant innovation in blockchain-based governance, operating without central leadership. Members of a DAO typically share a common goal, acting in the best interest of the organization or project. However, recent incidents have highlighted considerable vulnerabilities, particularly in DAOs that rely solely on token-based voting systems.
In late May and early June 2024, several alerts have highlighted ongoing threats to DAOs. The Relevant Feed DAO faced a malicious proposal requiring urgent votes against it to prevent exploitation. MetaDragon DAO on Binance Smart Chain (BSC) lost $180,000 due to attack transactions involving burned tokens, needing immediate action to prevent further issues. Additionally, a breach on a Solana DAO saw an attacker transfer $230,000 in treasury funds to their own wallet unnoticed, underscoring the risks of insufficient vigilance and rapid decision-making in DAO governance.
The Weakness of Token-Based Voting Systems
Despite its decentralized appearance, this system often leads to a form of plutocracy, where wealthier participants dominate decision-making. This setup is highly susceptible to exploitation:
Sybil Attacks: Attackers can create numerous wallets to accumulate voting power, as evidenced by an instance where a user organized an investment group, acquiring enough tokens to control a significant portion of supply.
Flash Loans: These allow attackers to temporarily borrow large amounts of tokens to pass malicious proposals.
Structural Weaknesses in DAO Governance
Many DAOs have structural weaknesses that can be exploited by attackers:
Hidden Ownership and Special Permissions: An analysis by Web3 firm De.Fi found that many DAOs have contracts with hidden owners or wallets with special permissions, increasing the risk of unilateral decisions.
Insufficient Multisig Protection: Only 16.6% of analyzed contracts use multisig wallets, which require multiple private keys to authorize transactions, enhancing security.
Short Voting Periods: Some DAOs have very brief voting windows, limiting the time members have to react to proposals. This can be exploited to push through malicious proposals before members can respond.
Aragon provides an example of how voting mechanisms can be structured within a DAO. Vote and its execution are open for a specified voteTime, this parameter is globally initialized once, meaning the risk of social engineering depends on how it is set up for each project. A poorly chosen voteTime could lead to vulnerabilities similar to those seen in other DAOs.
Mitigation Strategies
To address, DAOs can implement several measures:
Multisig Wallets: Using multisig wallets for treasury management can significantly reduce the risk of unauthorized transactions.
Extended Voting Periods: Lengthening voting periods gives members more time to review and respond to proposals, reducing the likelihood of unnoticed attacks.
Poison Pill Proposals: Implementing 'poison pill' proposals, which allow the burning of remaining treasury funds to deter attackers, can be effective.
Regular Audits and Monitoring: Continuous security audits and real-time monitoring of proposals and transactions can help detect and prevent malicious activities early.
While DAOs offer a promising model for decentralized governance, their reliance on token-based voting and other structural weaknesses make them vulnerable to attacks. By recognizing these vulnerabilities and implementing robust security measures, DAOs can protect their treasuries and ensure more secure and effective governance.
While we strive for accuracy in our content, we acknowledge that errors may occur. If you find any mistakes, please reach out to us at pr@nominis.io. Your feedback is appreciated!