Cointime

Cointime

Download App
iOS & Android

The State of DAO Security

Validated Project

by Marta Piekarska

Digital asset hacks are becoming a top concern for the Web3 ecosystem. Nearly $3B have been stolen in hacks so far this year, almost double of the value lost in all of 2021. By these numbers, 2022 is set to be the biggest year in terms of crypto hacks, with exploits ranging from compromised wallets, to insecure smart contracts, and more. Unsurprisingly, security has been a big topic for decentralized autonomous organizations (DAOs) as well. 

We went out and asked some of the top DAOs, including Polygon, Moloch, and Lido, what they thought about the security of DAOs. We’ve grouped our findings under themes such as governance, treasury, and smart contracts. But first, let’s go back to the hack that led to an Ethereum hard fork in 2016.

The DAO Hack

The vulnerabilities of DAOs were exposed with the formation of the first DAO itself. If this was before your time, here’s a quick refresher on what happened: Simply called The DAO, it was formed in 2016. The idea was that investors would put money in, receive tokens and vote on projects developed by the DAO. In a month, the DAO was able to raise $150M from 11k investors.

Unfortunately, before the token sale ended, a vulnerability in the smart contract wallet was found. The team began fixing the issue, but attackers were able to exploit another bug: they made a small contribution and then requested a withdrawal with a recursive function, stealing 3.6M ETH of the 15M ETH in the treasury. The stolen ETH was worth $60M at the time.

Security Concerns for DAOs today

The DAO hack was a pivotal moment in Ethereum history and provided important lessons for the community in what not to do. Six years later, while DAOs are booming, hacks are also happening almost every month. 

Some top concerns that DAOs today have are around governance, smart contracts and treasury. Let’s do a deep dive into each topic.

Governance

Decentralized notifications is one area where we haven’t yet found a good solution. If an attacker is able to block notifications, they can also then sneak bad proposals through without a majority of the DAO noticing. 

Often a proposal requires complicated multicall transactions. These rely on expert knowledge of an ‘operator’ class. If the DAO doesn’t have a culture of auditing and analyzing the proposals, attackers can leverage it to pass proposals with complex outcomes.

Another concern for DAOs is bad configuration. If a DAO is set up incorrectly, with wrong thresholds and timelocks, it creates an opportunity for bad actors. Poorly designed incentives with black swan externalities can also undermine the token’s objective.

Spam is still a big issue for DAOs, especially on gasless sidechains, where people are not disincentivized to spam. Dropping 40k proposals on a DAO can break frontends and make it really hard to filter bad and good ones. This leads to gridlock and the possibility for invalid proposals to get through.

Decentralization can be hard to achieve, especially with small DAOs or early stage ones. DAOs, much like the blockchain that forms the basis of a DAO, are vulnerable to a governance attack, where attackers can borrow a large amount of the governance token to push through a proposal. Tron already (unsuccessfully) tried this, where some players borrowed a lot of COMP to push forward a proposal to add TUSD as an asset to Compound. While the proposal was outvoted, it shows a serious security concern, particularly for protocols with autonomous governance like Compound where the proposals, if passed, will actually change the deployed code to effectuate the change. There is also a risk of “behind the door” coalitions if the community is effectively a group of friends or even a handful of wallets. 

Member apathy is another huge security threat to a DAO – from the above mentioned lack of thorough reviews of proposals to low decentralization. DAOs are really a way to facilitate interactions between humans and technology. Humans tend to be messy, disorganized and lack focus. Technology – meaning smart contracts -= requires logic, sterile code and clarity. Systems can only account for what the creators planned for, and an active community continuously evaluating the state of the DAO is crucial. At the start of a DAO, there often will be some key figures who lead the community to a vision. However, in order to achieve decentralization, the leaders need to step away and allow others to take over. If the community too heavily relies on the leaders, it can lead to big problems.

Smart Contracts

At times, DAOs have hidden back doors and upgradability. Even if the backdoors are set up with best intentions, as escape hatches, they always need to be properly disclosed. Transparency is crucial to make sure that such a “feature” doesn’t turn into a bug. 

Some of the greatest hacks exploit the quality of code of the protocols. Today, we rely on vetting the quality of teams and making sure that the code goes through multiple audits, but that doesn’t always catch all the bugs. 

Generally early stage blockchains and bridges don’t pay attention to significant distribution of their validator sets, which leads to greater risk of key compromise.

Treasury

Treasury security is a very difficult topic and yet many projects decide on ⅔ multisig which is way too low. It does mean efficiency in execution but is easily exploitable. In general, convenience gets in the way of security a lot. 

Lack of regulation has also emerged as a security concern for DAOs. Recent action by the Commodity Futures Trading Commission against Ooki DAO has created some concerns in the community about the path that regulators might take on DAOs. The CFTC has said that it would treat DAOs as other incorporated entities in the US, and DAO members and many Web3 players are challenging this court. The biggest issue with this is that we don’t really know where DAOs fall in the regulatory world. Thankfully there are geographies such as Wyoming and Channel Islands where you can incorporate your DAO – and places such as Bermuda  that are actively exploring the topic. 

As in every part of our life, a general lack of respect for security is a threat. Members of a DAO should be deploying standard operational security via password managers, having some form of local threat detection downloaded on the computer, using cold wallets, etc.

Conclusion

While DAOs have evolved and matured over the years, they still face many security challenges. Hacks are painful, and we need to do better to prevent them from happening. While we may not have arrived at concrete solutions so far, some examples are noteworthy. GovernorDAO is trying to solve for governance attacks with biometric authentication of Ethereum wallets. Decentralized identifiers are also one way to ensure the uniqueness of wallet addresses.

Identifying your vulnerabilities and putting safeguards in place to manage risk is an important factor for DAOs to keep in mind. Are there other areas of concern that you have questions about or suggestions on how you’ve been able to mitigate these concerns? Let us know.

DAO smart contract
Comments

All Comments

Recommended for you

  • Trump Threatens to Destroy Iranian Power Plants if Strait of Hormuz Not Opened

    March 20 - Trump stated that if Iran does not fully open the Strait of Hormuz within 48 hours, the United States will strike and destroy multiple Iranian power plants, starting with the largest one. (Jins10)

  • ETH Drops Below $2100

    Market data shows that ETH has fallen below $2100, currently trading at $2095.44. It has experienced a 24-hour decline of 2.47%. The market is experiencing significant volatility, so please manage your risk accordingly.

  • BTC Drops Below $69,000

    Market data shows that BTC has fallen below $69,000, currently trading at $68,955. The cryptocurrency has seen a 2.31% decrease in the past 24 hours. The market is experiencing significant volatility, and investors are advised to implement risk control measures.

  • BTC Drops Below $70,000

    Market data shows that BTC has fallen below $70,000, currently trading at $69,988.17. It has experienced a 0.74% decrease in the past 24 hours. The market is experiencing significant volatility, so please manage your risk accordingly.

  • Golden Morning News | Key Overnight Developments on March 22

    9:00 PM - 7:00 AM Keywords: Iran, US Dollar, Strait of Hormuz 1. BofA: Maintains a medium-term bearish view on the US Dollar. 2. Israeli Defense Minister states that strikes against Iran will intensify in the coming week. 3. Iranian Armed Forces announce significant actions being taken in the Strait of Hormuz. 4. US media reports that Trump's team is developing strategies for potential peace talks with Iran. 5. Analysts: US SEC's cryptocurrency guidance marks the "end of an era" for Gensler. 6. British media: Over 20 countries declare readiness to contribute to ensuring safe passage through the Strait of Hormuz. 7. Cryptocurrency companies lay off hundreds of employees within weeks, attributing it to a weak market and powerful AI.

  • US Media: Trump Team Strategizing for Potential Iran Peace Talks

    According to the website AXIOS, a US official and an informed source revealed that after three weeks of war, the Trump administration has begun preliminary discussions on the next phase and the possible form of peace negotiations with Iran. US President Trump stated on Friday that he is considering a "phased end" to the war, but US officials indicated that the fighting is expected to continue for another two to three weeks. Meanwhile, Trump's advisors hope to begin preparing for diplomatic mediation. Sources revealed that Trump's envoys Kushner and Wittcoff are participating in discussions regarding potential diplomatic avenues. Any agreement to end the war must include the reopening of the Strait of Hormuz, addressing Iran's enriched uranium stockpile, and reaching a long-term agreement on Iran's nuclear program, ballistic missiles, and support for regional proxies. Other sources also revealed that although Egypt, Qatar, and the UK have all conveyed messages between the US and Iran, there have been no direct contacts between the US and Iran in recent days. Egypt and Qatar have informed the US and Israel that Iran is interested in negotiations, but the conditions are very tough, with Iran's demands including a ceasefire, guarantees against future wars, and reparations.

  • BTC Surges Past $71,000

    Market data shows that BTC has broken through $71,000, currently trading at $71,007.92. It has seen a 1.93% increase in the last 24 hours. The market is experiencing significant volatility, so please manage your risk accordingly.

  • Golden Evening News | Key Developments on March 21st

    12:00-21:00 Keywords: Coinbase, Iran, OpenAI, James Wynn 1. Citigroup: Bitcoin could reach $165,000 this year. 2. Iranian Foreign Minister states the pursuit of a complete end to the war, not a temporary ceasefire. 3. OpenAI plans to nearly double its workforce to 8,000 employees by the end of the year. 4. James Wynn returns to HyperLiquid, shorting Bitcoin with 40x leverage. 5. Tim Cook responds to OpenClaw driving Mac Mini sales: Neural Engine added ten years ago. 6. Coinbase's asset management arm launches tokenized shares of a Bitcoin fund, accelerating its asset tokenization strategy.

  • Polymarket to Announce Major News Next Monday, Potentially Related to Token Launch or Funding

    March 21st news: A member of the official Polymarket team, Mustafa, posted on X stating that major news will be announced next Monday. Due to the inclusion of a coin emoji in the tweet, the community speculates that the significant news may be related to funding or a token launch. Previously, it was reported that prediction market platforms Kalshi and Polymarket were in discussions with potential investors for a new round of financing, with both targeting valuations of approximately $20 billion. Kalshi has recently completed a new round of financing exceeding $1 billion, reaching a valuation of $22 billion, doubling its valuation from the previous round in December last year, which was $11 billion. Sources familiar with the matter revealed that this round of financing was led by Coatue Management, and Kalshi's current annualized revenue is $1.5 billion.

  • Midday Briefing | Key Updates for March 21

    7:00 AM - 12:00 PM Keywords: Zedxion, Gold, Galaxy Digital, US SEC 1. UK Proposes Revoking License for Crypto Exchange Zedxion for Allegedly Facilitating Funding for Iran. 2. Gold Records Largest Weekly Drop in 43 Years. 3. Sources: Trump Administration Developing Plan to Seize Iranian Nuclear Material Reserves. 4. CryptoQuant Analyst: Galaxy Digital Suspected of Selling Approximately 700 BTC. 5. Galaxy Head of Research: New SEC Rules Reshape Digital Asset Regulation, Providing Clear Secondary Market Channels. 6. Claude Code Launches Cloud-Based Scheduled Tasks: Automates PR reviews, dependency upgrades, no local execution needed. 7. World Team Suspected of Conducting OTC Trade with an Entity, Sending 117 Million WLD.

Daily Must-Read

Popular Activities

RaveDAO at Terra Solis by Tomorrowland: A Female-Led Techno Night Where Web3 Culture Converges

RaveDAO at Terra Solis by Tomorrowland: A Female-Led Techno Night Where Web3 Culture Converges

April 30 - April 30
Dubai

Popular Tags

Cointime
News
Contents
RSS
Company