The State of DAO Security
Digital asset hacks are becoming a top concern for the Web3 ecosystem. Nearly $3B have been stolen in hacks so far this year, almost double of the value lost in all of 2021. By these numbers, 2022 is set to be the biggest year in terms of crypto hacks, with exploits ranging from compromised wallets, to insecure smart contracts, and more. Unsurprisingly, security has been a big topic for decentralized autonomous organizations (DAOs) as well.
We went out and asked some of the top DAOs, including Polygon, Moloch, and Lido, what they thought about the security of DAOs. We’ve grouped our findings under themes such as governance, treasury, and smart contracts. But first, let’s go back to the hack that led to an Ethereum hard fork in 2016.
The DAO Hack
The vulnerabilities of DAOs were exposed with the formation of the first DAO itself. If this was before your time, here’s a quick refresher on what happened: Simply called The DAO, it was formed in 2016. The idea was that investors would put money in, receive tokens and vote on projects developed by the DAO. In a month, the DAO was able to raise $150M from 11k investors.
Unfortunately, before the token sale ended, a vulnerability in the smart contract wallet was found. The team began fixing the issue, but attackers were able to exploit another bug: they made a small contribution and then requested a withdrawal with a recursive function, stealing 3.6M ETH of the 15M ETH in the treasury. The stolen ETH was worth $60M at the time.
Security Concerns for DAOs today
The DAO hack was a pivotal moment in Ethereum history and provided important lessons for the community in what not to do. Six years later, while DAOs are booming, hacks are also happening almost every month.
Some top concerns that DAOs today have are around governance, smart contracts and treasury. Let’s do a deep dive into each topic.
Decentralized notifications is one area where we haven’t yet found a good solution. If an attacker is able to block notifications, they can also then sneak bad proposals through without a majority of the DAO noticing.
Often a proposal requires complicated multicall transactions. These rely on expert knowledge of an ‘operator’ class. If the DAO doesn’t have a culture of auditing and analyzing the proposals, attackers can leverage it to pass proposals with complex outcomes.
Another concern for DAOs is bad configuration. If a DAO is set up incorrectly, with wrong thresholds and timelocks, it creates an opportunity for bad actors. Poorly designed incentives with black swan externalities can also undermine the token’s objective.
Spam is still a big issue for DAOs, especially on gasless sidechains, where people are not disincentivized to spam. Dropping 40k proposals on a DAO can break frontends and make it really hard to filter bad and good ones. This leads to gridlock and the possibility for invalid proposals to get through.
Decentralization can be hard to achieve, especially with small DAOs or early stage ones. DAOs, much like the blockchain that forms the basis of a DAO, are vulnerable to a governance attack, where attackers can borrow a large amount of the governance token to push through a proposal. Tron already (unsuccessfully) tried this, where some players borrowed a lot of COMP to push forward a proposal to add TUSD as an asset to Compound. While the proposal was outvoted, it shows a serious security concern, particularly for protocols with autonomous governance like Compound where the proposals, if passed, will actually change the deployed code to effectuate the change. There is also a risk of “behind the door” coalitions if the community is effectively a group of friends or even a handful of wallets.
Member apathy is another huge security threat to a DAO – from the above mentioned lack of thorough reviews of proposals to low decentralization. DAOs are really a way to facilitate interactions between humans and technology. Humans tend to be messy, disorganized and lack focus. Technology – meaning smart contracts -= requires logic, sterile code and clarity. Systems can only account for what the creators planned for, and an active community continuously evaluating the state of the DAO is crucial. At the start of a DAO, there often will be some key figures who lead the community to a vision. However, in order to achieve decentralization, the leaders need to step away and allow others to take over. If the community too heavily relies on the leaders, it can lead to big problems.
At times, DAOs have hidden back doors and upgradability. Even if the backdoors are set up with best intentions, as escape hatches, they always need to be properly disclosed. Transparency is crucial to make sure that such a “feature” doesn’t turn into a bug.
Some of the greatest hacks exploit the quality of code of the protocols. Today, we rely on vetting the quality of teams and making sure that the code goes through multiple audits, but that doesn’t always catch all the bugs.
Generally early stage blockchains and bridges don’t pay attention to significant distribution of their validator sets, which leads to greater risk of key compromise.
Treasury security is a very difficult topic and yet many projects decide on ⅔ multisig which is way too low. It does mean efficiency in execution but is easily exploitable. In general, convenience gets in the way of security a lot.
Lack of regulation has also emerged as a security concern for DAOs. Recent action by the Commodity Futures Trading Commission against Ooki DAO has created some concerns in the community about the path that regulators might take on DAOs. The CFTC has said that it would treat DAOs as other incorporated entities in the US, and DAO members and many Web3 players are challenging this court. The biggest issue with this is that we don’t really know where DAOs fall in the regulatory world. Thankfully there are geographies such as Wyoming and Channel Islands where you can incorporate your DAO – and places such as Bermuda that are actively exploring the topic.
As in every part of our life, a general lack of respect for security is a threat. Members of a DAO should be deploying standard operational security via password managers, having some form of local threat detection downloaded on the computer, using cold wallets, etc.
While DAOs have evolved and matured over the years, they still face many security challenges. Hacks are painful, and we need to do better to prevent them from happening. While we may not have arrived at concrete solutions so far, some examples are noteworthy. GovernorDAO is trying to solve for governance attacks with biometric authentication of Ethereum wallets. Decentralized identifiers are also one way to ensure the uniqueness of wallet addresses.
Identifying your vulnerabilities and putting safeguards in place to manage risk is an important factor for DAOs to keep in mind. Are there other areas of concern that you have questions about or suggestions on how you’ve been able to mitigate these concerns? Let us know.