Governance Attacks & Mitigations

Eltonjock.eth received asked:

“These sorts of governance failures really make me nervous. Not that I’m only nervous it might happen to me but it has to be very stifling to outsiders looking into the overall DAO scene. Pardon my ignorance, but is there any sort of aggregation of info for what works and doesn’t work for DAOs?”

This was in response to a hostile takeover of Build Finance, resulting in a loss of >$400k.

This thread is intended to collect examples of governance failure modes and mitigations. DAO, governmental, corporate governance examples are acceptable as references. I’ll collect any examples in the comments as top-level items in this post.

DAO Governance Failure Modes:

[Single actor] Low voting participation takeover


“Yet it seems the perpetrator sent their governance tokens to a separate wallet and tried again. This proposal, however, was not picked up by the Discord server’s bot (which would detect proposals and put them in a dedicated channel). This proposal appeared to go unnoticed and passed on February 10.”

Aave already got governance-attacked by Tron, with the recent proposal to deploy on BitTorrent PASSED. Forum post with 3 replies passed with 109k out of 110k AAVE in votes coming in last minute from A SINGLE ADDRESS funded by Poloniex. Source


This sort of governance attack was the one thing I was concerned about with the @OpenZeppelin governance contracts: without any kind of extension, you have to treat every seemingly won’t-pass vote like a major crisis or risk a last minute whale passing it. To their credit, they took my concerns seriously and implemented a module that extends the voting period if the quorum is reached near the end of voting. ENS and other OZ based DAOs should seriously consider deploying new governors with this module. Source.