Governance Attack

The foundational step where an attacker acquires enough voting power to influence or control proposals. This is achieved through:

• Direct Purchase: Buying governance tokens on the open market.
• Borrowing: Using flash loans or lending protocols to temporarily amass tokens without upfront capital.
• Sybil Attacks: Creating multiple addresses to distribute holdings and mimic grassroots support.

The attacker crafts and passes malicious proposals that appear legitimate. Key tactics include:

• Beneficial Parameter Changes: Proposals to alter treasury withdrawal limits, mint new tokens, or change fee distributions to the attacker's address.
• Obfuscation: Bundling harmful changes with popular, benign updates to gain voter approval.
• Timing Exploits: Submitting proposals during low-engagement periods to reduce voter turnout and opposition.

Exploiting the specific mechanics of the governance system to ensure a malicious proposal passes.

• Vote Sniping: Casting decisive votes at the last possible moment to prevent a defensive response.
• Delegation Abuse: Acquiring voting power from inactive token holders via delegation mechanisms.
• Quorum Gaming: Ensuring a proposal meets the minimum quorum threshold with minimal legitimate opposition.

The final phase where the attacker converts their ill-gotten governance control into tangible assets.

• Treasury Drain: Executing a passed proposal to transfer treasury assets (stablecoins, ETH) to a controlled address.
• Token Minting: Using new minting authority to create and sell governance or protocol tokens, crashing the price.
• Protocol Sabotage: Changing critical parameters (like collateral factors) to create arbitrage opportunities or destabilize the system for profit.

Understanding governance attacks requires knowledge of adjacent mechanisms and defenses.

• 51% Attack: A similar concept in Proof-of-Work blockchains targeting consensus, not governance.
• Time-Lock: A common defense that delays execution of passed proposals, allowing time for community response.
• Multisig Guardians: A fallback role (often held by founders) with the power to veto malicious proposals, creating a centralization trade-off.

A canonical case study of a flash loan-enabled governance attack. In April 2022, an attacker:

1. Used a flash loan to borrow ~$1B worth of BEAN tokens, gaining 67% of voting power.
2. Passed a "proposal" that donated the protocol's entire treasury (~$182M) to a Ukraine relief fund they controlled.
3. Repaid the flash loan, netting ~$80M in profit. This event highlighted the risks of on-chain governance with immediate execution.

These attacks have led to the adoption of key defensive mechanisms:

• Timelocks: A mandatory delay between a vote passing and execution, allowing time to detect malicious proposals.
• Multisig Guardians: A fallback committee with the power to veto or pause malicious execution.
• Vote Delegation: Shifting from token-weighted voting to delegated expert representatives.
• Quorum Requirements: Mandating a minimum participation threshold for a vote to be valid.
• Separation of Powers: Dividing control over treasury, code, and parameters across different governance modules.

The primary vector for a governance attack is the acquisition of a sufficient voting stake. An attacker can achieve this through:

• Open Market Purchases: Buying tokens on exchanges.
• Flash Loan Exploits: Borrowing a massive, temporary amount of capital to vote, then repaying the loan.
• Vote Delegation Exploitation: Manipulating or bribing large token holders to delegate their voting power. Once a 51% majority (or the protocol's specific quorum threshold) is controlled, the attacker can pass proposals to drain the treasury, mint unlimited tokens, or alter critical protocol parameters.

This is the most direct form of attack, where an entity acquires over half the voting power. Consequences include:

• Treasury Drain: Proposing and passing a transaction to transfer all protocol funds.
• Parameter Hijacking: Changing fee structures, collateral ratios, or admin keys to benefit the attacker.
• Rug Pull via Governance: Minting and selling an infinite supply of the governance token itself. Mitigations include implementing a timelock on executed proposals and a multi-sig guardian council with veto power over catastrophic changes.

An attacker can flood the governance system with complex, malicious, or numerous proposals to create voter fatigue. This tactic aims to:

• Obfuscate a harmful proposal among many others.
• Lower voter participation by overwhelming the community, making it easier to pass proposals with a smaller, attacker-controlled stake.
• Waste community resources on constant monitoring and voting. Defenses include requiring a proposal deposit (slashed if the proposal fails) and implementing a minimum token threshold to submit proposals.

This involves exploiting the time delay between a vote's snapshot and its execution. Attackers can:

• Buy tokens after a snapshot is taken for a beneficial proposal, vote, and then sell immediately before execution, avoiding price impact.
• Use Maximal Extractable Value (MEV) bots to front-run or sandwich governance transactions. This undermines the principle of skin-in-the-game voting. Mitigations include moving to commit-reveal voting schemes or using a bonding curve for voting power that penalizes short-term holders.

A timelock is a mandatory delay between a proposal's passage and its execution. This critical security measure allows the community to:

• Analyze the executed code of a passed proposal.
• Organize a defensive response, such as a fork or liquidity withdrawal, if the proposal is malicious. Some protocols add a multi-signature guardian or security council with limited veto power over timelocked proposals that would clearly destroy the protocol, creating a final circuit breaker.

The most robust long-term defense is a widely distributed and engaged token holder base. Strategies include:

• Fair launches and broad distributions to avoid concentrated ownership.
• Delegated voting to knowledgeable, accountable governance delegates.
• Non-token voting power via soulbound tokens or proof-of-personhood systems to resist pure capital attacks.
• Quorum thresholds and supermajority requirements (e.g., 67% yes votes) to make attacks more expensive and detectable.

The fungible asset (e.g., UNI, MKR, COMP) that confers voting rights in a decentralized autonomous organization (DAO). Its distribution and economic security are critical:

• Concentration risk: If too few entities hold tokens, the system is vulnerable.
• Tokenomics: Designs like vote-escrow (veTokens) aim to align long-term incentives.
• Liquid vs. locked: Liquid tokens can be easily borrowed for attacks.

A common objective of a successful governance attack, where the attacker's proposal grants control over the protocol's treasury funds. This involves changing parameters to withdraw assets. Famous examples include the Beanstalk Farms attack, where a malicious proposal transferred $182 million to the attacker's wallet in a single transaction.

A core security mechanism that delays the execution of a passed governance proposal, providing a final window for the community to react to a malicious action. Key aspects:

• Execution delay: A mandatory waiting period (e.g., 48 hours) between proposal passage and code execution.
• Emergency response: Allows time for governance veto, forking, or other defensive measures.
• Not a complete solution, as it relies on vigilant community monitoring.

A design philosophy aiming to reduce the attack surface by making core protocol parameters immutable or trustless, limiting what governance can control. This contrasts with maximalist governance. Implementations include:

• Uniswap v3's immutable core.
• Using oracles or algorithmic mechanisms instead of votes for critical updates.
• Escalating timelocks for more sensitive functions.

The ultimate defensive response to a governance attack, where the community abandons the compromised chain or contract and launches a new version without the attacker's influence. This is a social consensus action. Historic precedents:

• Ethereum/ETC fork following The DAO hack.
• Compound Finance created a precedent for a post-attack governance fork to recover funds.