Governance Attack

The most direct vector involves acquiring enough governance tokens to pass malicious proposals. Attackers may use:

• Flash loans to temporarily borrow massive voting power.
• Vote buying or bribery through secondary markets.
• Exploiting low voter turnout to pass proposals with a small, concentrated stake. This was demonstrated in the attempted Beanstalk Farms attack, where a proposal to send $182M to the attacker passed with a supermajority of borrowed tokens.

Attackers craft proposals with hidden malicious logic that executes only after approval. This includes:

• Time-delayed attacks, where harmful code activates in a future block.
• Governance parameter changes, such as lowering the proposal threshold or quorum to enable further attacks.
• Upgrade proposals that introduce backdoors into protocol smart contracts, effectively transferring control to the attacker.

This advanced vector targets the governance of governance—the rules that define how proposals are made and voted on. Attackers may:

• Propose changes to the voting mechanism itself (e.g., switching to a less secure model).
• Attack delegate systems, compromising the keys of large token delegates.
• Manipulate off-chain signaling (like Snapshot votes) to create social consensus for a harmful on-chain proposal.

Beyond pure token mechanics, attackers leverage economic incentives and misinformation. Key tactics include:

• Voter apathy and fatigue, relying on low participation to slip proposals through.
• Sybil attacks, creating many addresses to simulate broader community support.
• FUD (Fear, Uncertainty, Doubt) campaigns to discourage legitimate voters from participating or to vote for a 'safe' but malicious option.

Governance systems have specific technical components that are frequent targets:

• Treasury Multisigs: Proposals to drain the protocol treasury.
• Upgradeable Contracts: Proposals to change contract logic to a malicious implementation.
• Oracle Controls: Proposals to manipulate price feeds or data sources.
• Fee Switches: Proposals to redirect protocol revenue to an attacker's address.

Protocols implement various guards against governance attacks:

• High Quorum Requirements: Mandating a minimum percentage of total tokens to vote.
• Timelocks: Delaying execution after a vote, allowing time for community review and reaction.
• Multisig Guardians: A fallback committee with emergency veto power (introducing centralization trade-offs).
• Vote Delegation: Encouraging participation through trusted delegates.
• Proposal Thresholds: Requiring a minimum token stake to submit a proposal.

An attacker directly or indirectly compensates token holders to vote in their favor, subverting the intended merit-based decision-making. This is often facilitated through bribe markets like LlamaAirforce or hidden arrangements.

• Mechanism: Proposers offer a share of the proposal's profits to voters.
• Example: An attacker proposes to drain a treasury and offers 30% of the proceeds to voters who approve it.

A single entity or coordinated group acquires enough governance tokens to unilaterally pass proposals, often through a flash loan. This targets protocols with low voter participation and high proposal passing thresholds.

• Key Risk: Centralization of voting power defeats decentralization.
• Famous Case: The attempted Beanstalk Farms governance attack, where an attacker used a flash loan to acquire 67% of votes to drain the treasury.

An attacker floods the governance forum with low-quality or malicious proposals to overwhelm voters, causing voter apathy and allowing a harmful proposal to pass unnoticed.

• Tactics: Submitting many similar proposals or proposals with obfuscated code.
• Defense: Requires proposal submission deposits and qualified delegate systems to filter noise.

Exploiting timing mechanisms within the governance lifecycle, such as voting periods and execution delays (timelocks).

• Example: Vote Sniping - waiting until the last moment to vote, preventing opponents from mounting a defense.
• Example: Timelock Bypass - if a malicious proposal passes, the timelock provides a critical window for the community to execute an emergency shutdown or fork.

An attacker creates many wallets (Sybils) to claim a disproportionate share of governance tokens from an airdrop, or to manipulate snapshot votes where voting is cost-free.

• Impact: Dilutes the voting power of legitimate community members.
• Prevention: Protocols use proof-of-personhood systems or token-locked voting (e.g., ve-token models) to mitigate.

Directly attacking the smart contracts of the governance token itself to mint tokens or manipulate votes. This is a technical exploit rather than a social one.

• Mechanism: Finding a bug in the token's mint(), delegate(), or voting contract to create illegitimate voting power.
• Contrast: Differs from vote buying, as it creates tokens out of thin air instead of acquiring existing ones.

The most direct form of governance attack, where an attacker acquires a majority of the protocol's voting power (governance tokens). This allows them to pass malicious proposals, such as:

• Draining the treasury to a controlled address.
• Changing critical protocol parameters (e.g., lowering collateral ratios).
• Minting unlimited new tokens, devaluing the entire system. This is often executed via a flash loan to temporarily borrow the required voting tokens.

An attacker floods the governance system with numerous, complex, or confusing proposals to overwhelm legitimate voters. The goal is to exploit voter apathy and low participation rates, allowing a malicious proposal to pass with a small, coordinated minority vote. Mitigations include:

• Proposal deposits that are forfeited if the proposal fails.
• Quorum requirements to ensure sufficient voter turnout.
• Timelocks to delay execution, allowing community reaction.

A form of collusion where an attacker offers direct payments (bribes) or other incentives to token holders to vote a specific way on a proposal. This is often facilitated through bribe markets or voting escrow systems. It undermines the principle of voters acting in the protocol's best interest, as they are incentivized to act for personal short-term gain, potentially to the network's detriment.

Protocols implement several layers of defense to harden their governance:

• Timelocks: A mandatory delay between a proposal's passage and its execution, providing a final window for the community to organize a response (e.g., via a fork).
• Multisig Guardians/Emergency Councils: A trusted, often off-chain, group with limited powers to pause the system or veto clearly malicious proposals as a last resort.
• Progressive Decentralization: Initially launching with more centralized safeguards and gradually transferring power to token holders as the system matures and participation grows.

• Sybil Attack: Creating many fake identities to gain disproportionate voting power. Mitigated by proof-of-stake or token-weighted voting.
• Voting Escrow (ve-tokens): A model (pioneered by Curve Finance) that locks tokens for longer periods to gain more voting power, aiming to align voters with long-term health.
• Forking as a Defense: The ultimate community response, where users and developers abandon the compromised protocol and launch a new, clean version without the attacker's influence, as seen historically in Ethereum and Steem.

The practice of acquiring voting power, often through delegated tokens or flash loans, to influence a governance outcome. This is a primary vector for governance attacks, where an attacker amasses enough votes to pass a malicious proposal, such as draining a treasury or altering protocol parameters.

• Mechanism: Tokens are borrowed or pooled temporarily to meet a voting quorum.
• Example: An attacker could use a flash loan to borrow a large amount of governance tokens, vote on a proposal, and return the tokens—all within a single transaction.

An attack where a single entity creates many fake identities (Sybils) to gain disproportionate influence. In blockchain governance, this can involve splitting funds across numerous addresses to bypass one-token-one-vote assumptions or delegation limits.

• Impact: Can distort voting outcomes without requiring a large capital outlay.
• Countermeasure: Protocols implement proof-of-personhood systems or token-weighted voting with identity verification to mitigate this risk.

A catastrophic outcome of a successful governance attack where the protocol's community treasury is emptied. Attackers pass a proposal that grants them control over treasury assets, which are then transferred out.

• Execution: Often involves a malicious proposal that updates treasury multi-sig signers or authorizes a large, illegitimate transfer.
• Famous Case: The 2022 Beanstalk Farms attack, where an attacker used a flash loan to pass a proposal that drained $182 million from the protocol's treasury.

A security mechanism that enforces a mandatory delay between when a governance proposal is passed and when its changes are executed. This provides a grace period for the community to review and potentially veto malicious actions.

• Function: Acts as a circuit breaker, allowing time to detect and react to hostile proposals.
• Implementation: Critical parameter changes or fund transfers are routed through a Timelock Controller smart contract, which queues transactions for a set duration (e.g., 48 hours).

A cryptographic token that grants holders voting rights within a decentralized autonomous organization (DAO) or protocol. The distribution and security of these tokens are fundamental to governance attack surfaces.

• Voting Power: Typically proportional to the amount of tokens held or staked.
• Attack Surface: Concentrated token ownership, low voter participation, and liquid staking derivatives can create vulnerabilities where a minority can control outcomes.

A defensive mechanism allowing token holders to withdraw their funds from a protocol if a malicious governance proposal passes. This is a form of economic fork or rage quit, where users can exit with their fair share of assets before harmful changes take effect.

• Purpose: Creates a economic disincentive for attackers, as a successful attack would cause capital flight and devalue the governance tokens they hold.
• Example: Implemented in Moloch DAO-style frameworks, where members can exit with their share of the guild bank.