ChainScore Labs
All Guides

Governance Attacks and Vote Buying Risks

LABS

Governance Attacks and Vote Buying Risks

Chainscore © 2025

Core Governance Attack Vectors

An analysis of the primary methods attackers use to subvert decentralized governance, from direct token manipulation to exploiting procedural flaws.

Vote Buying and Bribery

The direct purchase of voting power or delegation rights to influence an outcome. Attackers offer financial incentives to token holders, often via dark pools or bribery markets.

  • Use of platforms like Bribe Protocol to create vote-directed incentives.
  • Collusion through off-chain agreements not reflected on-chain.
  • This undermines the one-token-one-vote principle and can lead to malicious proposals passing.

Token Whale Manipulation

A single entity or cartel acquires a controlling share of governance tokens to dictate all protocol decisions. This is often a precursor to a hostile takeover.

  • Rapid token accumulation via OTC deals or market purchases.
  • Example: The attempted takeover of Build Finance DAO.
  • Centralizes control, rendering small holders' votes irrelevant and risking fund diversion.

Proposal Spam and Fatigue

Flooding the governance forum with low-quality or malicious proposals to exhaust community attention and resources. Attackers aim to create noise so a harmful proposal slips through.

  • Submitting many proposals with high gas-cost execution.
  • Exploiting snapshot voting to drain multisig transaction budgets.
  • This leads to voter apathy and increased risk of insufficient proposal scrutiny.

Time-Based Exploits

Attacks that manipulate the temporal aspects of governance, such as voting periods or execution delays. This includes rage-quitting capital before a malicious vote executes.

  • Example: Passing a proposal, then withdrawing funds during the timelock before execution.
  • Snapshot voting with outdated token balances.
  • These exploits break the assumed synchronicity between voting power and economic stake.

Governance Tokenomics Attacks

Exploiting the economic design of the governance token itself to gain undue influence. This includes flash loan attacks and staking mechanism flaws.

  • Borrowing massive token amounts via flash loans to vote without economic skin in the game.
  • Manipulating ve-token models or locked staking rewards.
  • Creates temporary, sybil-resistant appearing majorities that vanish post-vote.

Meta-Governance Control

Gaining influence over a protocol by controlling the assets it governs, not its native token. Common in DeFi where one DAO's tokens are a major asset in another's treasury.

  • Example: Using Curve DAO's veCRV votes to direct gauge weights and liquidity.
  • A parent DAO dictating decisions in a subsidiary's governance.
  • Creates indirect, often unforeseen, centralization vectors across the ecosystem.

Technical Breakdown of Attack Methods

Understanding the Entry Points

Governance attacks exploit vulnerabilities in the proposal lifecycle and voting mechanics of a DAO. The primary vectors are not just about acquiring tokens, but manipulating the rules of engagement.

Key Attack Surfaces

  • Proposal Spam: An attacker submits numerous, complex, or expensive-to-execute proposals to create voter fatigue and apathy, allowing a malicious proposal to slip through during low participation. This was a risk highlighted during early Compound governance debates.
  • Vote Timing Exploits: Attacks that manipulate the timing of proposal snapshots or voting periods. For example, an attacker could borrow a large amount of governance tokens just before a snapshot is taken, vote, and then return them, effectively voting with capital they do not own.
  • Metagovernance Leverage: Using governance tokens received as yield from platforms like Aave or Compound to influence decisions in another protocol, creating cascading control risks.

Real-World Context

In the 2022 Beanstalk Farms exploit, the attacker used a flash loan to temporarily acquire enough governance power to pass a malicious proposal that drained the protocol's treasury, demonstrating a combination of vote buying and timing attack.

Implementing a Governance Defense Framework

Process overview

1

Establish a Multi-Layered Voting Delay

Implement time-based safeguards to prevent rapid, malicious proposal execution.

Detailed Instructions

Implement a timelock contract between the governance module and the protocol's core contracts. This creates a mandatory waiting period after a proposal passes before execution. Set the delay period based on risk assessment; for critical parameter changes, a 3-7 day delay is standard. This allows time for community scrutiny and emergency response.

  • Sub-step 1: Deploy a Timelock contract (e.g., OpenZeppelin's TimelockController).
  • Sub-step 2: Configure the executor and proposer roles, ensuring only the governance contract is the proposer.
  • Sub-step 3: Set the minDelay variable. For a mainnet deployment, start with a conservative value like 72 hours (259200 seconds).
  • Sub-step 4: Point your protocol's upgradeable contracts or privileged functions to use the Timelock as the owner.
solidity
// Example: Initializing a TimelockController
import "@openzeppelin/contracts/governance/TimelockController.sol";

contract MyProtocolTimelock is TimelockController {
    constructor(
        uint256 minDelay,
        address[] memory proposers,
        address[] memory executors
    ) TimelockController(minDelay, proposers, executors) {}
}

Tip: The delay period is a trade-off between security and agility. Consider a graduated system where different proposal types (e.g., treasury spend vs. parameter tweak) have different delays.

2

Implement Vote Delegation with Safeguards

Enable secure delegation while mitigating the risks of centralized voting power.

Detailed Instructions

Use a delegation system like Compound's or OpenZeppelin's ERC20Votes to allow token holders to delegate voting power without transferring tokens. This improves participation but requires safeguards. Implement a delegation cooldown or lock to prevent instant delegation changes during an active proposal, a common tactic in vote buying.

  • Sub-step 1: Integrate a votes-compatible token standard (ERC20Votes).
  • Sub-step 2: In your governance contract, record the delegation snapshot at the start of the proposal's voting period using _getPastVotes.
  • Sub-step 3: Enforce a rule that delegation changes cannot affect votes on proposals already created. This is often implicit with snapshotting.
  • Sub-step 4: Consider adding an explicit cooldown (e.g., 24 hours) for changing delegation targets to deter last-minute power consolidation.
solidity
// Example: Checking votes from a snapshot block number
function getVotes(address account, uint256 blockNumber) public view returns (uint256) {
    // This uses the snapshot mechanism from ERC20Votes
    return token.getPastVotes(account, blockNumber);
}

Tip: For extra security, publish a canonical list of delegate addresses (with reputations) within the protocol's interface to encourage informed delegation and reduce apathy-driven centralization.

3

Design Proposal Thresholds and Quorums

Set mathematical barriers to prevent low-cost attack proposals and ensure sufficient participation.

Detailed Instructions

Configure proposal thresholds (minimum tokens needed to submit) and quorum requirements (minimum votes needed for validity). These values should be a percentage of the total token supply and must be high enough to deter spam but not so high they stifle participation. A common starting point is a 1% threshold and a 4% quorum.

  • Sub-step 1: Analyze historical governance participation to set a baseline. Calculate quorum = (average_votes_on_passed_proposals / total_supply) * 100.
  • Sub-step 2: Implement dynamic quorum mechanisms (e.g., GovernorCountingSimple with quorum = f(block.number)) to adjust requirements based on circulating supply or participation trends.
  • Sub-step 3: Set the proposal threshold to a value significantly higher than the cost of a governance attack but accessible to legitimate community members. For a token worth $1 with 1B supply, 1% (10M tokens) is a $10M barrier.
  • Sub-step 4: Hardcode these parameters in the governance constructor or make them adjustable only via a high-threshold governance proposal itself.
solidity
// Example: Configuring thresholds in an OpenZeppelin Governor contract
contract MyGovernor is Governor {
    constructor(IVotes _token)
        Governor("MyGovernor")
    {}

    function quorum(uint256 blockNumber) public view override returns (uint256) {
        // Return 4% of total supply as the quorum
        return (token.getPastTotalSupply(blockNumber) * 4) / 100;
    }

    function proposalThreshold() public view override returns (uint256) {
        // Return 1% of total supply as the proposal threshold
        return (token.getPastTotalSupply(blockNumber) * 1) / 100;
    }
}

Tip: A quorum that is too low (e.g., 1%) allows a minority to pass proposals. A quorum that is too high (e.g., 20%) can lead to governance paralysis. Monitor and adjust via proposals.

4

Integrate Emergency Security Modules

Add circuit breakers and guardian roles to halt malicious proposals that bypass other defenses.

Detailed Instructions

Deploy emergency security modules like a pause guardian or a multi-sig-controlled veto. These are last-resort tools and should have extremely limited, clearly defined scope (e.g., only able to cancel a proposal, not create one). The guardian's power should be revocable by a high-quorum governance vote.

  • Sub-step 1: Design a SecurityCouncil contract with a multi-signature requirement (e.g., 3-of-5 trusted entities).
  • Sub-step 2: Grant this council a single function: vetoProposal(uint256 proposalId). This function should only work during the timelock delay period after a proposal passes.
  • Sub-step 3: Ensure the veto event emits a clear, on-chain reason string for transparency and accountability.
  • Sub-step 4: Create a separate, high-threshold governance proposal template specifically for replacing the Security Council members, ensuring the community retains ultimate control.
solidity
// Example: A simple veto function in a security module
contract SecurityCouncil {
    address public governor;
    mapping(uint256 => bool) public vetoedProposals;

    function vetoProposal(uint256 proposalId, string calldata reason) external onlyMember {
        require(!vetoedProposals[proposalId], "Already vetoed");
        // This would interact with the Governor contract to cancel the proposal
        IGovernor(governor).cancel(proposalId);
        vetoedProposals[proposalId] = true;
        emit ProposalVetoed(proposalId, msg.sender, reason);
    }
}

Tip: The existence of a veto power is controversial. Mitigate centralization risks by making the council members well-known, diverse community figures and broadcasting all veto actions with detailed rationale.

5

Monitor and Analyze Voting Patterns

Establish off-chain monitoring to detect unusual voting behavior and potential collusion.

Detailed Instructions

Vote analysis is a critical off-chain component. Use subgraph indexing or custom scripts to track voting power concentration, delegation flows, and voting coherence. Look for patterns like sudden large delegations to a new address just before a vote, or a bloc of addresses voting identically on all proposals.

  • Sub-step 1: Index governance events (ProposalCreated, VoteCast) using The Graph or an Etherscan-like API.
  • Sub-step 2: Calculate metrics like the Gini coefficient of voting power distribution or the Herfindahl-Hirschman Index (HHI) for delegation concentration.
  • Sub-step 3: Set up alerts for abnormal events: a single address acquiring >20% of delegated power in a 24-hour period, or a proposal receiving 90% of its votes in the final hour.
  • Sub-step 4: Publish these metrics and analyses in a public dashboard (e.g., Dune Analytics) to foster transparency and crowd-source scrutiny.
javascript
// Example: Pseudocode for a script checking vote concentration
const votes = await governorContract.queryFilter("VoteCast");
const proposalVotes = {};
votes.forEach(v => {
    if (!proposalVotes[v.args.proposalId]) proposalVotes[v.args.proposalId] = [];
    proposalVotes[v.args.proposalId].push(v.args.weight);
});
// Calculate HHI for a specific proposal
const weights = proposalVotes["proposalId123"];
const totalWeight = weights.reduce((a, b) => a + b, 0);
const hhi = weights.reduce((sum, weight) => sum + Math.pow((weight / totalWeight) * 100, 2), 0);
console.log(`HHI for proposal: ${hhi}`); // > 2500 indicates high concentration

Tip: Correlate on-chain voting data with forum discussions and social media. A proposal with strong on-chain support but no prior community debate is a major red flag.

Historical Governance Attack Case Studies

Comparison of notable governance attacks, their mechanisms, and outcomes.

Protocol / IncidentAttack VectorFinancial ImpactKey VulnerabilityResolution

Beanstalk Farms (Apr 2022)

Flash loan-enabled governance proposal

$182M in stolen assets

Unrestricted proposal execution before timelock

Protocol relaunch with new token

Fei Protocol / Rari Capital Merger (Apr 2022)

Vote buying via airdrop bribery

Proposal defeated, no direct loss

Concentration of voting power from airdrop

Governance parameters adjusted post-vote

Olympus DAO (suspected, 2021-22)

Treasury diversification proposal manipulation

Strategic treasury allocation shift

Opacity in proposal sourcing and voter incentives

Increased proposal transparency requirements

Curve Finance (CRV) Emissions Vote (2023)

Vote locking and bribery market exploitation

Direction of ~$2M/week in CRV emissions

veToken model concentrating power for rent-seeking

Ongoing discussion on bribery market reforms

SushiSwap MISO Frontend (Sep 2021)

Malicious governance proposal to drain treasury

$3M vulnerability identified, not exploited

Lack of multi-sig timelock on critical contracts

Proposal vetoed by multi-sig, security process overhauled

Bancor (BNT) Tokenomics Upgrade (2022)

Coercive voting via large token delegation

Approval of contentious v3 upgrade

Delegated voting power from foundation/team

Community backlash leading to revised proposal

Advanced Defensive Mechanisms and Designs

Technical strategies to mitigate governance capture and vote manipulation through protocol-level design.

Time-Lock Escrow for Delegated Votes

Vote-locking requires users to escrow their governance tokens for a fixed period when delegating voting power.

  • Prevents rapid delegation changes to swing votes
  • Example: Compound's governance uses a 2-day timelock on delegation changes
  • Increases the cost of vote buying by reducing liquidity and flexibility for attackers

Conviction Voting

Conviction voting weights votes by the duration tokens are committed to a proposal.

  • Voting power accumulates over time a user supports an option
  • Example: Used by 1Hive's Gardens DAO for community funding
  • Deters flash loan attacks and promotes long-term stakeholder alignment over short-term manipulation

Multisig with Enforced Cool-Off Periods

A multisig council with mandated delays between proposal submission and execution.

  • Requires multiple signers (e.g., 5-of-9) for critical upgrades
  • Cool-off period allows community reaction to malicious proposals
  • Provides a circuit breaker against rushed, harmful governance actions

Futarchy and Prediction Markets

Futarchy uses prediction markets to make decisions based on a proposal's expected token value impact.

  • Traders bet on outcomes, revealing market-based forecasts
  • Example: Proposed for MakerDAO's governance evolution
  • Aligns decisions with measurable success metrics, reducing subjective voting influence

Minimum Participation & Quorum Biasing

Quorum biasing adjusts the required approval threshold based on voter turnout.

  • Low turnout requires a higher supermajority (e.g., 60% of 20% turnout)
  • Example: Implemented in some Snapshot voting strategies
  • Protects against apathy-based attacks where a small, motivated group passes proposals

Non-Transferable Reputation Systems

Reputation (Rep) is a non-transferable voting right earned through contributions, separate from liquid tokens.

  • Decouples economic stake from governance power
  • Example: SourceCred and early DAOstack designs
  • Mitigates vote buying as reputation cannot be purchased or delegated maliciously
SECTION-FAQ

Governance Security FAQ

Further Reading and Audits

Uniswap Governance Overview

Details Uniswap’s governance model, delegation mechanics, proposal lifecycle, and risks tied to token-weighted voting.

Visit resource

Compound Governance Documentation

Explains Compound’s on-chain governance system, including proposal thresholds, voting power, and historical governance attacks.

Visit resource

Flash Loan Attacks: Governance Attacks

Analyzes how flash loans enable vote buying and governance manipulation, with real-world DeFi attack examples.

Visit resource

OpenZeppelin Governor Contracts

Technical documentation for Governor contracts, including safeguards, quorum design, and voting delay considerations.

Visit resource

Ethereum.org: Decentralized Autonomous Organizations

Provides an overview of DAO governance models, token-based voting, and systemic risks such as plutocracy and vote buying.

Visit resource

Ready to Start Building?

Let's bring your Web3 vision to life.

From concept to deployment, ChainScore helps you architect, build, and scale secure blockchain solutions.

Start Your ProjectView Our Work
Chat on Telegram
Chat on WhatsApp