Blockchain Weekly

Blockchain Weekly Tech Edition

Marta Piekarska

The State of DAO Security

image

Digital asset hacks are becoming a top concern for the Web3 ecosystem. Nearly $3B have been stolen in hacks so far this year, almost double of the value lost in all of 2021. By these numbers, 2022 is set to be the biggest year in terms of crypto hacks, with exploits ranging from compromised wallets, to insecure smart contracts, and more. Unsurprisingly, security has been a big topic for decentralized autonomous organizations (DAOs) as well. 

We went out and asked some of the top DAOs, including Polygon, Moloch, and Lido, what they thought about the security of DAOs. We’ve grouped our findings under themes such as governance, treasury, and smart contracts. But first, let’s go back to the hack that led to an Ethereum hard fork in 2016.

The DAO Hack

The vulnerabilities of DAOs were exposed with the formation of the first DAO itself. If this was before your time, here’s a quick refresher on what happened: Simply called The DAO, it was formed in 2016. The idea was that investors would put money in, receive tokens and vote on projects developed by the DAO. In a month, the DAO was able to raise $150M from 11k investors.

Unfortunately, before the token sale ended, a vulnerability in the smart contract wallet was found. The team began fixing the issue, but attackers were able to exploit another bug: they made a small contribution and then requested a withdrawal with a recursive function, stealing 3.6M ETH of the 15M ETH in the treasury. The stolen ETH was worth $60M at the time.

Security Concerns for DAOs today

The DAO hack was a pivotal moment in Ethereum history and provided important lessons for the community in what not to do. Six years later, while DAOs are booming, hacks are also happening almost every month. 

Some top concerns that DAOs today have are around governance, smart contracts and treasury. Let’s do a deep dive into each topic.

Governance

Decentralized notifications is one area where we haven’t yet found a good solution. If an attacker is able to block notifications, they can also then sneak bad proposals through without a majority of the DAO noticing. 

Often a proposal requires complicated multicall transactions. These rely on expert knowledge of an ‘operator’ class. If the DAO doesn’t have a culture of auditing and analyzing the proposals, attackers can leverage it to pass proposals with complex outcomes.

Another concern for DAOs is bad configuration. If a DAO is set up incorrectly, with wrong thresholds and timelocks, it creates an opportunity for bad actors. Poorly designed incentives with black swan externalities can also undermine the token’s objective.

Spam is still a big issue for DAOs, especially on gasless sidechains, where people are not disincentivized to spam. Dropping 40k proposals on a DAO can break frontends and make it really hard to filter bad and good ones. This leads to gridlock and the possibility for invalid proposals to get through.

Decentralization can be hard to achieve, especially with small DAOs or early stage ones. DAOs, much like the blockchain that forms the basis of a DAO, are vulnerable to a governance attack, where attackers can borrow a large amount of the governance token to push through a proposal. Tron already (unsuccessfully) tried this, where some players borrowed a lot of COMP to push forward a proposal to add TUSD as an asset to Compound. While the proposal was outvoted, it shows a serious security concern, particularly for protocols with autonomous governance like Compound where the proposals, if passed, will actually change the deployed code to effectuate the change. There is also a risk of “behind the door” coalitions if the community is effectively a group of friends or even a handful of wallets. 

Member apathy is another huge security threat to a DAO – from the above mentioned lack of thorough reviews of proposals to low decentralization. DAOs are really a way to facilitate interactions between humans and technology. Humans tend to be messy, disorganized and lack focus. Technology – meaning smart contracts -= requires logic, sterile code and clarity. Systems can only account for what the creators planned for, and an active community continuously evaluating the state of the DAO is crucial. At the start of a DAO, there often will be some key figures who lead the community to a vision. However, in order to achieve decentralization, the leaders need to step away and allow others to take over. If the community too heavily relies on the leaders, it can lead to big problems.

Smart Contracts

At times, DAOs have hidden back doors and upgradability. Even if the backdoors are set up with best intentions, as escape hatches, they always need to be properly disclosed. Transparency is crucial to make sure that such a “feature” doesn’t turn into a bug. 

Some of the greatest hacks exploit the quality of code of the protocols. Today, we rely on vetting the quality of teams and making sure that the code goes through multiple audits, but that doesn’t always catch all the bugs. 

Generally early stage blockchains and bridges don’t pay attention to significant distribution of their validator sets, which leads to greater risk of key compromise.

Treasury

Treasury security is a very difficult topic and yet many projects decide on ⅔ multisig which is way too low. It does mean efficiency in execution but is easily exploitable. In general, convenience gets in the way of security a lot. 

Lack of regulation has also emerged as a security concern for DAOs. Recent action by the Commodity Futures Trading Commission against Ooki DAO has created some concerns in the community about the path that regulators might take on DAOs. The CFTC has said that it would treat DAOs as other incorporated entities in the US, and DAO members and many Web3 players are challenging this court. The biggest issue with this is that we don’t really know where DAOs fall in the regulatory world. Thankfully there are geographies such as Wyoming and Channel Islands where you can incorporate your DAO – and places such as Bermuda  that are actively exploring the topic. 

As in every part of our life, a general lack of respect for security is a threat. Members of a DAO should be deploying standard operational security via password managers, having some form of local threat detection downloaded on the computer, using cold wallets, etc.

Conclusion

While DAOs have evolved and matured over the years, they still face many security challenges. Hacks are painful, and we need to do better to prevent them from happening. While we may not have arrived at concrete solutions so far, some examples are noteworthy. GovernorDAO is trying to solve for governance attacks with biometric authentication of Ethereum wallets. Decentralized identifiers are also one way to ensure the uniqueness of wallet addresses.

Identifying your vulnerabilities and putting safeguards in place to manage risk is an important factor for DAOs to keep in mind. Are there other areas of concern that you have questions about or suggestions on how you’ve been able to mitigate these concerns? Let us know.

DAO governance is not failing. Decentralization is.

image

Decentralization, a founding tenet of our blockchain ecosystem, is key to the reimagined organizational structures that are taking shape in the form of DAOs in Web3. The very name of this new way of organizing, decentralized autonomous organization, points to the importance of decentralization for Web3. However, the idea that DAOs may be becoming recentralized is gaining traction these days. 

I was recently asked about my thoughts about this issue. The concern does not seem unfounded. With prevailing delegation models, we are working our way to a few wallets holding most of the voting power and effectively projects being completely centralized. The model of delegation, where a contributor can assign another person to vote on their behalf, is furthering this concentration of voting power. This is against everything that we planned when Vitalik outlined the idea for  a DAOs in 2014. However, I believe that we have the cause and effect wrong. The real problem is not recentralization, but the fact that we are not truly decentralized in the first place.

To fully understand the argument, let’s go back to the creation of the first DAO in 2016. Simply called The DAO, it failed when a hacker stole nearly 3.6M ETH from the DAO. However, The DAO paved the way for the creation of more DAOs. In order to enable decision making, we introduced governance tokens – ERC20s that allowed owners to express their opinions, but only once they had proven that they cared enough to put money behind it. The trouble with this model is the idea of marrying a financial goal with a governance goal. If I buy a token and its price goes up, I need to decide whether I value the right to vote more than I value the investment. In theory, if I care about the project then I should act completely altruistically and not even consider selling the token. However, while smart contracts may not care about getting rich, they are written by humans who do. And behind every DAO there is a group of humans that need to fulfill basic needs of having food to eat and a place to live. Roughly in mid-2021, Web3 participants seemed to be following the same pattern – buy tokens during an LBP (Liquidity Bootstrapping Pool event), see where the project went and either get more involved, or just keep and see if it moons. 

Right now there are almost 5,000 projects with a token that you could become a governor of, according to DeepDAO. There are 3.9M governance token holders, out of which 693,000 are active voters and proposal makers. Before you say that’s plenty – that last number refers to wallets that participated in at least one vote in their lifetime. Now, we all know that we cannot ascertain the number of active members in a DAO by simply dividing 693000 (wallets) by 5000 (DAOs). By that calculation, each DAO would have 138 active members. Even if we assume that number to be accurate, that is not enough people to decide on the future of a project. In fact, there are only 22 DAOs that have more than a thousand active members

We often hear about voter apathy. If you are lucky, about 25% of the token holders will actually vote. That’s worse than a governmental election! I don’t think it comes from a bad place, however. Anecdotally, we know that most people who join DAOs are part of about 10. If we take a conservative estimate of five hours that a member spends being active on the DAO forum and Discord of just one, it adds up to 50 hours a week.This, on top of our actual day jobs. Realistically, each person has time for maybe two or three DAOs a week. That is where a delegation comes in handy – one can say I will pay attention to DAOs A, B and C, Jenny will focus on D, E and F, while Tom can take care of activities in DAOs X, Y and Z. We delegate tokens to one another and the case is solved. But now each of those DAOs has only one governor instead of three. This is where we come back to our argument that the real problem is the lack of decentralization. 

There are not enough people to be active members of a DAO or maybe there are too many projects. Simply put, the demand for governors and the supply of people who would be able to fill that role is mismatched. We can introduce delegation, pay delegates to vote, introduce staking and vTokens to remove the voting rights from people who do not vote. All of these are ways to deal with members who are not fulfilling their roles. Likely, there is room for more activation and more education on what it means to be a governor. 

Most importantly, we need to work on onboarding more people into Web3. By increasing participation in Web3, we can lead to growth in DAO participation. Even if we take the impressive number of 3.9M token holders, or the 71M Ethereum wallets, that is still less than 0.01% of the human population. Yes, the majority of the 7B people in the world have no interest in DAOs and likely never will. Yet, I think we can do better than 0.01%.