Governance Risk

A critical vulnerability where a small, potentially unrepresentative minority controls decisions due to widespread voter abstention. This can lead to:

• Proposal hijacking by well-coordinated, small groups.
• Low legitimacy of passed proposals, undermining community trust.
• Security risks as critical upgrades may not receive sufficient scrutiny.

Example: A protocol with 1 million tokens, where a proposal passes with only 50,000 votes, represents control by just 5% of the supply.

The risk that governance is dominated by a few large token holders (whales) or entities, leading to centralized control. This manifests as:

• Tyranny of the majority, where whale votes override the broader community.
• Collusion risk between large holders to extract value.
• Reduced decentralization, contradicting the protocol's core ethos.

Mitigations include vote delegation, quadratic voting, and conviction voting to dilute pure token-weight influence.

The risk that governance actions are poorly designed, malicious, or incorrectly implemented. This includes:

• Buggy proposal code that, if executed, could drain funds or break the protocol.
• Time-delay exploits, where a malicious proposal is passed but its effects are delayed, catching voters off guard.
• Upgrade complexity, where even well-intentioned changes introduce unintended side effects due to the system's complexity.

Formal verification and timelocks are common safeguards.

The risk that governance token holders' financial incentives do not align with the protocol's long-term health. This can lead to:

• Short-termism, where voters support proposals that pump token price at the expense of sustainability.
• Parasitic extraction, such as voting for excessive token emissions or fee changes that benefit holders but deter users.
• Stakeholder conflict between token holders, liquidity providers, and end-users.

Mechanisms like vesting schedules and fee-sharing aim to better align incentives.

Specific technical and economic strategies used to subvert a governance system. Key vectors include:

• Vote buying/renting: Accumulating voting power temporarily without long-term stake.
• Flash loan attacks: Borrowing massive sums to gain voting power for a single block, pass a proposal, and repay the loan.
• 51% attacks: Outright purchase or borrowing of majority tokens to force through any change.
• Proposal spam: Flooding the system to hide a malicious proposal or exhaust community attention.

The risk related to the foundational rules that govern the governance process itself, which are often difficult to change. This encompasses:

• Rigid constitutions: Core parameters (like quorum, voting period) that are immutable or hard to amend, potentially becoming obsolete.
• Meta-governance: The power to vote on other protocols' governance using held tokens (e.g., using AAVE to vote on Compound). This creates complex, cross-protocol risk dependencies.
• Forum/off-chain governance: The influence of informal discussion channels that can centralize power before an on-chain vote.

A malicious actor directly or indirectly purchases voting power to pass a self-serving proposal. This can be done through on-chain bribery markets (e.g., buying votes with tokens) or off-chain collusion. The risk is that governance decisions no longer reflect the community's best interest, but the interest of the highest bidder.

• Example: An attacker offers to pay token holders a premium to delegate their votes for a proposal that drains the treasury.

When a disproportionate share of voting power is concentrated among a small group (e.g., founding team, early investors, a single whale). This creates a single point of failure and undermines decentralization. A centralized holder can:

• Unilaterally pass malicious proposals.
• Censor proposals they disagree with.
• Create a tyranny of the majority where minority interests are ignored.

An attacker floods the governance system with low-quality or malicious proposals to exhaust community attention and resources. This attack aims to:

• Cause voter apathy, leading to low participation on critical votes.
• Bury a genuinely malicious proposal among the spam.
• Drain the protocol's resources if each proposal requires a deposit. Effective governance requires mechanisms like proposal deposits and minimum thresholds to mitigate this.

This combines a flash loan (a large, uncollateralized loan repaid in one transaction) with governance mechanics. An attacker can:

1. Use a flash loan to borrow a massive amount of governance tokens.
2. Use this temporary voting power to pass a malicious proposal (e.g., changing fee parameters).
3. Execute the attack (e.g., draining funds) before the proposal's timelock delay expires, then repay the loan. A properly configured timelock is the primary defense, giving the community time to react.

Governance often controls critical protocol parameters like fee rates, collateral factors, or oracle addresses. An attacker who gains voting power can propose changes that appear benign but create systemic risk.

• Example: Gradually lowering the liquidation threshold for a key asset over several votes, eventually causing a cascade of undercollateralized loans and protocol insolvency.

An attack targeting the rules of governance itself rather than a specific proposal. The goal is to change the governance framework to make future attacks easier or to entrench power.

• Examples:
  • Proposing to reduce the quorum requirement, making it easier to pass proposals with low turnout.
  • Changing the voting delay or timelock to zero, allowing instant execution.
  • Modifying the treasury's multisig signers to a controlled set of addresses.

The long-running governance debate over activating Uniswap's protocol fee switch illustrates decision paralysis risk. Despite possessing a massive treasury and clear mechanism, the community has repeatedly delayed activation due to fears of:

• Liquidity migration to competitors
• Regulatory scrutiny
• Negative impact on liquidity providers (LPs) This shows how complex economic and strategic considerations can stall governance, even for beneficial changes.

The 2023 exploit of Curve's pools, which threatened the stability of founder Michael Egorov's massive CRV-backed loans, demonstrated collateral concentration risk. Governance was pressured to consider emergency measures to prevent a debt cascade that could crash the CRV token. This highlighted how governance must manage systemic financial risk stemming from the protocol's own token economics and key stakeholder positions.

The design of a protocol's token economics that underpins its security and incentive alignment. Governance risk is heavily influenced by tokenomics, as it determines who holds voting power.

• Concentration Risk: If tokens are overly concentrated, a small group can dictate outcomes.
• Voter Apathy: Poor incentive design leads to low participation, making the system vulnerable to attacks by motivated minorities.
• Key Metrics: Voter turnout, Gini coefficient of token distribution, and proposal participation thresholds.

The mechanisms and risks associated with changing a protocol's code. This sits at the intersection of technical and governance risk.

• Timelocks: A delay between a governance vote passing and execution, allowing users to exit if they disagree.
• Multisig Wallets: Interim control by a developer team before full decentralization; a centralization risk.
• Proxy Patterns: Common upgrade design where logic can be swapped; governance controls the upgrade function.
• Risk: A malicious or coerced upgrade can steal funds or change core rules.

The risk that a decentralized community splits (forks) due to irreconcilable governance disputes, creating two competing chains and networks. This fragments liquidity, community, and security.

• Cause: Contentious hard forks often result from failed governance, such as the Ethereum/Ethereum Classic split.
• Consequences: Network effects are diluted, and users must choose which chain to follow.
• Mitigation: Clear on-chain governance procedures and social consensus mechanisms aim to reduce fork likelihood.

A system's ability to prevent an entity from creating many fake identities (Sybils) to gain disproportionate influence. It is a foundational requirement for secure on-chain governance.

• Proof-of-Stake: Uses token ownership, where creating Sybils is expensive.
• Proof-of-Personhood: Emerging solutions like proof of humanity to grant one-vote-per-person.
• Failure Mode: Without Sybil resistance, governance can be easily attacked by a single actor amassing cheap voting power.