Governance Hijacking

The foundational step where an attacker acquires enough governance tokens to control voting outcomes. This is achieved through:

• Open market purchases of the native token.
• Borrowing tokens via DeFi lending protocols.
• Exploiting low voter turnout to achieve a majority with a smaller stake.
• Using flash loans to temporarily amass voting power without capital commitment.

Once in control, the attacker submits and passes a proposal that appears benign but contains hidden malicious logic. Common payloads include:

• Updating a treasury multisig to an attacker-controlled address.
• Modifying protocol parameters (e.g., minting rights, fee destinations) to siphon value.
• Adding a malicious plugin or adapter that grants backdoor access to funds.
• Draining a community treasury or liquidity pool via a seemingly legitimate transfer.

Hijackers exploit the fixed timelocks and voting periods inherent to governance systems.

• Proposal Timelock: A delay between a vote passing and execution, intended as a safety mechanism. Attackers must maintain their position throughout this period.
• Voting Period: The window for token holders to vote. Attackers may execute a flash loan attack within this period to vote and return funds before the loan is repaid.
• Defense Evasion: Attackers schedule execution when monitoring is low or use social engineering to reduce scrutiny.

A social engineering precursor to hijacking, where an attacker spams the governance forum with numerous complex or trivial proposals. This causes:

• Voter apathy and decreased participation from legitimate token holders.
• Obfuscation of the one malicious proposal hidden among the spam.
• Reduced scrutiny as community members become desensitized to governance alerts. This lowers the token threshold required for a successful hijack.

A hijacking strategy that targets or colludes with large token holders (whales) rather than outright token accumulation.

• Bribery or Collusion: Offering side payments to whales to vote a certain way.
• Sybil Attacks on Delegation: Creating many fake identities to attract delegated votes from users who auto-delegate to large delegates.
• Governance Mining: Incentivizing users to delegate voting power to a malicious address in exchange for rewards.

Protocols implement various mechanisms to mitigate hijacking risk:

• Multisig Guardians: A fallback committee with veto power over malicious proposals.
• High Proposal Quorums: Requiring a large percentage of total tokens to vote for a proposal to pass.
• Progressive Decentralization: Slowly increasing governance power as the protocol matures and token distribution widens.
• Time-locked Escrow: Holding acquired governance tokens in a vesting contract to prevent sudden accumulation.
• Separation of Powers: Dividing control over treasury, parameters, and upgrades into different modules.

Attackers accumulate governance tokens through methods like flash loan borrowing, purchasing on the open market, or exploiting token distribution flaws. The goal is to reach a quorum or majority threshold to pass malicious proposals. This is distinct from a 51% attack on a blockchain's consensus, as it targets the application layer's decision-making process.

Once in control, attackers submit and vote on proposals that appear benign but contain hidden malicious logic. Common objectives include:

• Draining the treasury by transferring funds to an attacker-controlled address.
• Altering protocol parameters (e.g., lowering collateral ratios, minting unlimited tokens).
• Rug pulling by upgrading a contract to a malicious version.
• Self-dealing by awarding grants or fees to the attacker.

This is the primary enabler. Most token holders do not vote (voter apathy), drastically lowering the practical threshold for an attack. An attacker may only need to acquire a small percentage of the total supply (e.g., 5-10%) to control the active voting pool. High proposal complexity and gas costs for voting further reduce participation.

In April 2022, Beanstalk, a stablecoin protocol, lost $182 million in a governance attack. The attacker used a flash loan to borrow enough governance tokens (BEAN) to pass a malicious proposal in a single transaction. The proposal contained code that instantly transferred all protocol funds to the attacker's wallet, demonstrating the risk of instant-execution governance.

Protocols implement various guards against hijacking:

• Time locks (Timelocks): Enforce a mandatory delay between a proposal's passage and its execution, allowing the community to react.
• Multisig Guardians/Emergency DAOs: A trusted, smaller group with the power to veto or pause malicious proposals.
• Quorum & Supermajority Requirements: Setting high thresholds for sensitive actions.
• Sybil-resistant voting: Using conviction voting or proof-of-personhood systems to reduce the impact of token accumulation.

The design of the token distribution and voting system is critical for security. Flaws include:

• Concentrated Supply: Early investors or team members holding too much voting power (whale risk).
• Liquid vs. Locked Voting: Whether tokens used for liquidity provisioning (e.g., in an AMM LP) can also be used to vote, creating attack vectors.
• Vote Delegation: Centralizes power with delegates, creating single points of failure if compromised.

Following the July 2023 exploit of multiple Curve Finance pools, the protocol's founder invoked an emergency DAO feature. This special governance mechanism, encoded in the Curve DAO smart contracts, allowed for the immediate execution of a critical security patch without waiting for the standard multi-day voting period. This case is a counter-example, showing how well-designed governance can include emergency safeguards and circuit breakers to respond to crises that a hijacker might exploit.

The most direct form of hijacking is a 51% attack on governance, where an entity acquires majority voting power. Risks include:

• Token Accumulation: Buying or borrowing tokens on the open market.
• Vote Buying: Incentivizing token holders to delegate votes maliciously.
• Sybil Attacks: Creating many addresses to influence token-weighted votes. Mitigations include conviction voting, time-locked execution, and multisig guardians for critical functions.

Governance hijacking can also occur through proposal spam or governance fatigue. An attacker may flood the governance forum with complex, confusing, or malicious proposals to:

• Dilute attention from a critical malicious proposal.
• Exploit low voter turnout to pass harmful changes.
• Waste community resources on vetting spam. This is a denial-of-service (DoS) attack on the governance process itself, often requiring proposal submission deposits and minimum vote thresholds as defenses.

A common objective of a successful governance hijack, where the attacker's proposal transfers the protocol's treasury assets to an address they control. This is the ultimate financial loss event.

• Targets: Can include the protocol's native tokens, staked assets, or fees held in a multisig.
• Prevention: Relies on timelocks, multi-signature safeguards, and governance parameters that make large, sudden transfers difficult to approve.

A critical defensive mechanism that delays the execution of a passed governance proposal, providing a grace period for the community to react to a potentially malicious vote.

• Function: Creates a buffer between a proposal's approval and its on-chain execution.
• Response Window: Allows token holders to exit (e.g., sell tokens) or coordinate a fork if a hijacking is detected.
• Implementation: A standard feature in secure governance systems like Compound and Uniswap.

The ultimate community response to a governance hijacking: creating a new, competing version of the protocol that invalidates the malicious changes, often preserving the original token distribution minus the attacker's holdings.

• Process: The original community "abandons" the hijacked protocol contract and migrates to a new one.
• Example: The Steem blockchain forked to Hive after a perceived hostile takeover attempt.
• Significance: Represents the decentralization "nuclear option," enforcing social consensus over pure on-chain code.