Cointime

Cointime

Download App
iOS & Android

The State of DAO Security

Validated Project

by Marta Piekarska

Digital asset hacks are becoming a top concern for the Web3 ecosystem. Nearly $3B have been stolen in hacks so far this year, almost double of the value lost in all of 2021. By these numbers, 2022 is set to be the biggest year in terms of crypto hacks, with exploits ranging from compromised wallets, to insecure smart contracts, and more. Unsurprisingly, security has been a big topic for decentralized autonomous organizations (DAOs) as well. 

We went out and asked some of the top DAOs, including Polygon, Moloch, and Lido, what they thought about the security of DAOs. We’ve grouped our findings under themes such as governance, treasury, and smart contracts. But first, let’s go back to the hack that led to an Ethereum hard fork in 2016.

The DAO Hack

The vulnerabilities of DAOs were exposed with the formation of the first DAO itself. If this was before your time, here’s a quick refresher on what happened: Simply called The DAO, it was formed in 2016. The idea was that investors would put money in, receive tokens and vote on projects developed by the DAO. In a month, the DAO was able to raise $150M from 11k investors.

Unfortunately, before the token sale ended, a vulnerability in the smart contract wallet was found. The team began fixing the issue, but attackers were able to exploit another bug: they made a small contribution and then requested a withdrawal with a recursive function, stealing 3.6M ETH of the 15M ETH in the treasury. The stolen ETH was worth $60M at the time.

Security Concerns for DAOs today

The DAO hack was a pivotal moment in Ethereum history and provided important lessons for the community in what not to do. Six years later, while DAOs are booming, hacks are also happening almost every month. 

Some top concerns that DAOs today have are around governance, smart contracts and treasury. Let’s do a deep dive into each topic.

Governance

Decentralized notifications is one area where we haven’t yet found a good solution. If an attacker is able to block notifications, they can also then sneak bad proposals through without a majority of the DAO noticing. 

Often a proposal requires complicated multicall transactions. These rely on expert knowledge of an ‘operator’ class. If the DAO doesn’t have a culture of auditing and analyzing the proposals, attackers can leverage it to pass proposals with complex outcomes.

Another concern for DAOs is bad configuration. If a DAO is set up incorrectly, with wrong thresholds and timelocks, it creates an opportunity for bad actors. Poorly designed incentives with black swan externalities can also undermine the token’s objective.

Spam is still a big issue for DAOs, especially on gasless sidechains, where people are not disincentivized to spam. Dropping 40k proposals on a DAO can break frontends and make it really hard to filter bad and good ones. This leads to gridlock and the possibility for invalid proposals to get through.

Decentralization can be hard to achieve, especially with small DAOs or early stage ones. DAOs, much like the blockchain that forms the basis of a DAO, are vulnerable to a governance attack, where attackers can borrow a large amount of the governance token to push through a proposal. Tron already (unsuccessfully) tried this, where some players borrowed a lot of COMP to push forward a proposal to add TUSD as an asset to Compound. While the proposal was outvoted, it shows a serious security concern, particularly for protocols with autonomous governance like Compound where the proposals, if passed, will actually change the deployed code to effectuate the change. There is also a risk of “behind the door” coalitions if the community is effectively a group of friends or even a handful of wallets. 

Member apathy is another huge security threat to a DAO – from the above mentioned lack of thorough reviews of proposals to low decentralization. DAOs are really a way to facilitate interactions between humans and technology. Humans tend to be messy, disorganized and lack focus. Technology – meaning smart contracts -= requires logic, sterile code and clarity. Systems can only account for what the creators planned for, and an active community continuously evaluating the state of the DAO is crucial. At the start of a DAO, there often will be some key figures who lead the community to a vision. However, in order to achieve decentralization, the leaders need to step away and allow others to take over. If the community too heavily relies on the leaders, it can lead to big problems.

Smart Contracts

At times, DAOs have hidden back doors and upgradability. Even if the backdoors are set up with best intentions, as escape hatches, they always need to be properly disclosed. Transparency is crucial to make sure that such a “feature” doesn’t turn into a bug. 

Some of the greatest hacks exploit the quality of code of the protocols. Today, we rely on vetting the quality of teams and making sure that the code goes through multiple audits, but that doesn’t always catch all the bugs. 

Generally early stage blockchains and bridges don’t pay attention to significant distribution of their validator sets, which leads to greater risk of key compromise.

Treasury

Treasury security is a very difficult topic and yet many projects decide on ⅔ multisig which is way too low. It does mean efficiency in execution but is easily exploitable. In general, convenience gets in the way of security a lot. 

Lack of regulation has also emerged as a security concern for DAOs. Recent action by the Commodity Futures Trading Commission against Ooki DAO has created some concerns in the community about the path that regulators might take on DAOs. The CFTC has said that it would treat DAOs as other incorporated entities in the US, and DAO members and many Web3 players are challenging this court. The biggest issue with this is that we don’t really know where DAOs fall in the regulatory world. Thankfully there are geographies such as Wyoming and Channel Islands where you can incorporate your DAO – and places such as Bermuda  that are actively exploring the topic. 

As in every part of our life, a general lack of respect for security is a threat. Members of a DAO should be deploying standard operational security via password managers, having some form of local threat detection downloaded on the computer, using cold wallets, etc.

Conclusion

While DAOs have evolved and matured over the years, they still face many security challenges. Hacks are painful, and we need to do better to prevent them from happening. While we may not have arrived at concrete solutions so far, some examples are noteworthy. GovernorDAO is trying to solve for governance attacks with biometric authentication of Ethereum wallets. Decentralized identifiers are also one way to ensure the uniqueness of wallet addresses.

Identifying your vulnerabilities and putting safeguards in place to manage risk is an important factor for DAOs to keep in mind. Are there other areas of concern that you have questions about or suggestions on how you’ve been able to mitigate these concerns? Let us know.

DAO smart contract
Comments

All Comments

Recommended for you

  • The US spot Solana ETF saw a net inflow of $3.64 million yesterday.

     according to SoSoValue data, the US spot Solana ETF had a total net inflow of 3.64 million USD yesterday.

  • The US FDIC plans to establish an application process for regulated institutions seeking to issue payment stablecoins.

    U.S. Federal Deposit Insurance Corporation (FDIC) announced the approval of a proposed rule to establish an application process for institutions seeking to issue payment stablecoins and regulated by the FDIC. A 60-day public comment period has now been opened. It is reported that this is the first formal rulemaking proposal following the passage of the "GENIUS Act" - the "American Stablecoin Innovation Act."

  • BTC breaks through $88,000

     market shows BTC breaking through $88,000, currently at $88,002.21, a 24-hour increase of 1.34%. The market is highly volatile, please manage your risk accordingly.

  • Bitwise believes 2026 will be a bull market for cryptocurrencies and has released ten predictions.

    Bitwise believes 2026 will be a year of a cryptocurrency bull market. From institutional adoption to regulatory progress, the current positive trends in cryptocurrency are too strong to be suppressed for a long time. Here are Bitwise's top ten predictions for the coming year.

  • China Properties Investment plans to purchase and hold BNB as a strategic reserve asset.

    China Real Estate Investment (00736) announced that in order to promote the diversification of the company's asset allocation and seize the opportunities of digital economy development, the company has resolved to use its own funds to purchase and hold BNB (Binance Coin) and other suitable digital assets in the open market, under the premise of complying with relevant laws, regulations, and risk control, as the company's strategic reserve assets. The company is optimistic about the long-term development prospects of the digital asset industry and has full confidence in the operating entity behind BNB, its technology research and development, ecological layout, and industry competitiveness, recognizing its long-term development potential and value growth space in the blockchain field.

  • Payment infrastructure company Speed1 raises $8 million in funding, led by Tether.

    payment infrastructure company Speed1 announced the completion of an $8 million financing round, led by Tether and participated by Ego Death Capital. The company is committed to building instant global settlement channels using the Bitcoin Lightning Network and stablecoins.

  • Visa begins supporting US financial institutions to settle transactions using USDC on Solana.

    Visa has started supporting U.S. financial institutions to use USDC on Solana for transaction settlements. Cross River Bank and Lead Bank are the first institutions to use this service. As a partner of the Circle Arc blockchain, Visa will also provide support after Arc goes live.

  • Bank of America survey: Kevin Hassett expected to lead the Federal Reserve

     Bank of America's December Global Fund Manager Survey shows that most investors expect U.S. President Trump to nominate White House economic advisor Kevin Hassett as the next Federal Reserve Chair. About 69% expect Hassett to be nominated, while only 4% mentioned Federal Reserve Governor Christopher Waller, and another 4% expect former Fed Governor Kevin Warsh. The survey was conducted before Trump told the media he preferred Hassett or Warsh to lead the Fed. Current Federal Reserve Chair Jerome Powell's term will end in May.

  • Singapore-based digital trade platform Olea completes $30 million Series A funding round.

    Singapore digital trade platform Olea has completed a $30 million Series A funding round, with investors including Banco Bilbao Vizcaya Argentaria (BBVA), XDC Network, theDOCK, and SC Ventures, a subsidiary of Standard Chartered Bank. The funds will be used to accelerate the deployment of AI and Web3 solutions in high-growth markets, strengthening embedded finance, risk analysis, and other products. Since its establishment in 2022, the Olea platform has been licensed by the Monetary Authority of Singapore (MAS) CMS and has provided over $3 billion in financing to more than 1,000 enterprises across more than 70 trade corridors.

  • BTC breaks through $87,000

    market shows BTC breaking through $87,000, currently at $86,986.63, with a 24-hour decline of 3.19%. The market is highly volatile, please manage your risk accordingly.

Daily Must-Read

Popular Activities

RaveDAO at Terra Solis by Tomorrowland: A Female-Led Techno Night Where Web3 Culture Converges

RaveDAO at Terra Solis by Tomorrowland: A Female-Led Techno Night Where Web3 Culture Converges

April 30 - April 30
Dubai

Popular Tags

Cointime
News
Contents
RSS
Company