The DAO hostile takeovers are coming (and what we can do about it) - Mike Alliegro

Summary: As larger, sophisticated players and institutions enter the space, the frequency of DAO takeovers will increase. We walk through a few recent examples and a hypothetical (and implausible) scenario of a hostile takeover of Lido DAO (LDO) and a subsequent vampire attack on the Lido liquid staking pools.

Recent Hostile Takeovers

The rise in DeFi-centric DAOs with massive treasuries will likely lead to more frequent attempts at hostile governance takeovers. Abysmal participation rates in governance (largely driven by speculative investors) have forced DAOs to accept low thresholds for proposal approval. The greater distribution of DAO tokens and the higher circulation of liquid supply relative to corporate equity stakes means takeovers are easier to pull off in the DAO space…without the right defense mechanisms in place.

DAO treasuries have reached nearly $13B in early April, a $4B increase m-o-m. While we have not yet seen a proliferation of takeovers, two examples from the past few months are harbingers of attempts to come as the amount of value in the DAO space reaches unprecedented levels.

DeepDAO.io (4/4/22)

In mid-February, Build Finance, a “decentralized venture builder,” suffered a governance takeover by an attacker who successfully passed a vote that handed over full control of the governance contract, minting keys and treasury. After one unsuccessful attempt, the attacker sent BUILD tokens to another wallet and submitted the takeover proposal again. By disabling the gitbooks and proposal bot and having sufficient tokens to reach minimum approval, the attacker passed the proposal, minted 1.1M BUILD, and drained the LP pools on Uniswap and Balancer, making off with $500K and tanking the token. More information is available in official tweet here:

Build Finance’s on-chain governance model allowed a proposal to transfer the ownership of a single smart contract to mint BUILD tokens and control the treasury. Other DAOs (e.g. Decentraland DAO) use a combination of off-chain voting and a multi-sig wallet controlled by a committee to enact off-chain decisions on-chain. These governance setups can defend against clearly malicious proposals (e.g. via multi-sig veto) but have additional trust assumptions and invite the risk of rogue key holders to change the protocol against the communities’ wishes. Last December, FortressDAO (Olympus fork) members approved a proposal to fund the creation of FUSD (new yield-bearing stablecoin) out of the Fortress Treasury (~$14M at the time). While the community believed that they would control allocation of FUSD, in reality, the only technical staffer and controller of the keys, Eisenberg, assumed full control of the treasury’s FUSD. “My goal is to make money, and if I’m able to produce yield, then I make money that way,” he said.

Governance structures that assume compliance of a small set of key holders with a multi-sig invite unnecessary risk. Ideally, governance should occur on-chain and accepted proposals should be executable codes that interact directly with existing markets or add newly-supported tokens from standardized templates (ala Compound). However, automatically executable proposals create opportunities for accumulators of DAO tokens to discreetly submit and approve irreversible proposals that can drain treasuries or otherwise act maliciously. The low percentage of DAO token holders that actively vote on proposals (historically, sub-10%) means these takeovers are easier than one might think.

Hypothetical Takeover Example — Lido DAO

For fun, we will look at a hypothetical example of a takeover of Lido DAO and a subsequent vampire attack on their liquid staking pools. Lido is a liquid staking protocol staking protocol on Ethereum. With nearly 3B ETH staked, Lido accounts for over 80% of all liquid staking balances on the network and over 27% of the total ETH staked across validators and pools (currently 11.1B). ETH deposits in Lido liquid staking pools are rewarded with stETH, which can be deposited in LP pools on Curve or used as collateral in lending protocols like Aave, Maker, Compound and Alpha. Liquid staking provides much needed liquidity for ETH stakers and allows stakers to reap additional rewards on top of Lido pool rewards. Even for large stakers who can run their own validator node, there is little motivation to do so given the economics and slashing risk, outside of of altruistic reasons (e.g. providing security to the network).

There are currently ~104M LDO tokens in circulation (circulating market cap at ~$463M). Tokens holders can vote on a number of proposals, including to approve incentives for parties that contribute towards DAO’s goals (e.g., stETH liquidity providers). In addition to a 50% approval, a minimum approval of 5% of the total token supply is required for a proposal to pass. Introductions of DAO tokens that are required to approve liquidity providers have largely prevented vampire attacks since the SUSHI-Uniswap saga. However, with a large enough economic motivation, a DAO takeover into a liquidity drain is a plausible scenario.

In our (again, for fun) example, it is unrealistic to assume an attacker with 5% of the token supply could pass a malicious proposal. However, with a low percentage of holders voting, we might only need ~10% of the LDO token supply ($46.3M) to approve a new provider, without a huge community effort to incentivize “No” votes. Our attacker could spin up a new DeFi protocol and approve a proposal in Lido DAO to accept this new protocol into the Lido ecosystem. Subsequently, the protocol could launch a new token that is given to users who deposit stETH (i.e. similar to $SUSHI in exchange for Uniswap LP tokens). With high enough incentives (you could have astronomical emissions to token holders), this new protocol would see huge deposits of stETH, which could then be used to exchange for ETH in Lido pools. By draining these pools, an attacker could quickly accumulate nearly 30% of all ETH staked in the network.

This scenario is highly implausible for a number of reasons. First, it would require $50M in up-front cost to even acquire enough votes to pass a proposal. Second, the exchange rate between the stETH and the new protocol’s tokens would be extremely low, unless the token massively appreciated after launch (or a mature DeFi project with a valuable token pursued this strategy). Third, negative public perception of the attempt would likely limit stETH deposits and destroy native token value.

Preventing a DAO Takeover

However, with many DAO treasuries quickly amassing huge war chests, the risk of hostile governance takeovers in the DeFi space is certainly increasing. Creating a governance structure that prevents takeover attempts while remaining true to the decentralized ethos of DeFi is a tricky proposition. That being said, there are a few governance implementations that may strike the right balance.

Governance should occur on-chain and proposals should include automatically executable code when possible — multi-sig compliance risk is greater than the risk of centralized token accumulation in most scenarios and should be treated as such
Automatically executable proposals should conform to standardized templates that are voted on by the community
Analytical tools to evaluate proposals based on conformity (to guide less tech-savvy members) and to monitor proposal activity should be implemented (e.g. DAO Analyzer)
Sufficiently defensible bots or tools to promote proposal awareness should be introduced to prevent discreet malicious proposals from passing
DAO token limits (e.g. 5% of total supply) on wallets can be written into the contract. Realistically, this creates some challenges in initial token distribution but could be implemented with a decreasing limit (e.g. 20%->5%) based on time or treasury growth

In a new space like DAOs, growing pains are expected. However, DAOs managing large treasuries should take the proper precautions to ensure that funds are safe and that the protocol is protected from malicious actors. As the number of sophisticated market participants with huge wallets increases, we will likely see more hostile governance takeovers down the line. Thoughtful implementation of governance structures and suites of analytical tools to mitigate these risks will likely become table stakes as DAOs increasingly manage value on-par with their TradFi counterparts.

Citations