A Comprehensive Research on DAO’s Security by Fairyproof
DAOs (Decentralized Autonomous Organization) [1] are a new form of organization based on blockchain technology. DAOs can be thought of as a…
DAOs (Decentralized Autonomous Organization) [1] are a new form of organization based on blockchain technology. DAOs can be thought of as a new way for people around the globe to work towards a common goal. What makes DAOs hugely different from existing companies, organizations, institutions, etc. is that part or all of DAOs’ governance is conducted based on the rules encoded in smart contracts that run on blockchains.
The first mostly recognized DAO project is “The DAO” [2] which was launched in 2016. However, unfortunately, The DAO eventually failed due to a fatal vulnerability that not only destroyed the project itself but also resulted in a painful hard fork for Ethereum [3].
It seems that day one security concerns have surrounded the development of DAOs.
During the past years, although DAOs have evolved and achieved huge progress and today’s DAOs are far more mature than what they were back in 2016 in nearly every aspect, security concerns don’t seem to fade and DAOs still face a lot of security challenges.
Fairyproof’s research team has done retrospective research on the development of security situations and conditions of DAOs over the past years since 2016 when The DAO was launched.
Based on the vulnerability types, we think of the development of security situations and conditions of DAOs as having gone through three phases.
In the first phase, the biggest security concern lay in smart contracts. In the second phase, the biggest security concern lies in execution mechanisms. In the third phase which is now, the biggest security concern lies in the design of governance rules or mechanisms that apply tokens in governance.
We analyze the security concern in each of these phases and would like to share our exploratory observations with the crypto industry.
Phase I: Security Concerns in Smart Contracts
In this phase, the biggest event was the crash of The DAO. Basically, the root cause of this crash was that a combination of vulnerabilities in The DAO’s smart contracts was exploited by a hacker, and this led to one-third of the project’s funds being drained.
This overwhelming loss halted The DAO project and forced the Ethereum team to hard-fork Ethereum eventually.
After this incident, people no longer talked about DAOs and people’s initial passion for DAOs faded soon.
This incident revealed a painful fact: when smart contract-based dApps were still in their early stages, due to a lack of experience and experimentation in security, smart contract-based DAOs were far from mature to handle even simple cases as expected.
So, in this phase, security concerns in smart contracts were the biggest challenge.
Phase II: Security Concerns in Execution Mechanisms
Although the failure of The DAO severely hit DAOs’ development, there were still teams working hard in this space and pushing the limits of DAOs greatly. The team behind MakerDAO[4] was one of them.
MakerDAO was officially launched on Ethereum in 2017. Since its deployment on Ethereum the team behind it began to explore governing its operations and driving its development by using a DAO. Through years of careful development and management, MakeDAO had been running pretty well, safely and securely, and hadn’t suffered from serious attacks on its smart contracts or encountered any serious security issues.
It was considered one of the most robust, secure, and well-established projects on Ethereum.
MakerDAO’s well-being and accumulated reputation gradually and strongly built-up people’s confidence in DAOs. Meanwhile, over the years, increasingly more teams began to notice the importance of smart contract audits, and more projects got audited before their deployment. This greatly reduced the possibility of being hacked for a project if it had gone through a professional audit.
However, a disruptive incident that happened in March 2020 put MakerDAO in turmoil. And it raised security concerns that almost disappeared in DAOs again.
On March 12, 2020, the overall crypto space was brutally hit by a market crash. Ether which was one of the most important collaterals used in MakerDAO suffered from a huge loss in price. Its price plummeted by more than 50% on that single day. This dramatic change in Ether’s price triggered a massive liquidation of Ethers in MakerDAO.
This liquidation soon caused a serious on-chain traffic jam. However, since MakerDAO had never experienced this massive liquidation, the design of its liquidation mechanism didn’t have adequate resilience to handle this. This led to the liquidation mechanism failing to work as expected.
MakerDAO suffered huge financial losses in this incident.
In this incident, as far as MakerDAO’s smart contracts were concerned, there were no vulnerabilities in the implementation. It was the vulnerabilities in its mechanism that caused the loss.
After this incident, people began to be aware of the design of DAOs’ mechanisms. However, since most of the dApps in the crypto space didn’t apply DAOs that much in their governance like what MakerDAO did, the security concerns in DAOs didn’t last long and DAOs’ security still didn’t gain enough traction broadly.
Phase III: Security Concerns in Governance
In June 2020, one famous DeFi application Compound issued its governance token COMP [5]. In Compound’s design, the COMP token was not only used as a governance token but also used to reward people who provided liquidity to the protocol. This innovative design promptly took DeFi by storm. Nearly all DeFi applications or protocols that were launched before or after Compound followed this design and issued their own governance tokens.
Although Compound was not the first project that issued a governance token it was the project that triggered the issuance of governance tokens among nearly all projects in DeFi.
Since then, governance tokens have been widely used in DeFi applications to conduct their governance through voting. Anyone that holds a project’s governance token can participate in voting for a proposal or submitting a proposal.
Among the projects that issued governance tokens, some project teams listed vital decisions for token holds to vote and some teams designed a very low threshold for token holders to submit whatever proposals. This potentially gave opportunities to malicious actors to hack the projects and inevitably introduced risks. For instance, a malicious actor could bribe other token holders of a project into submitting a proposal or voting for a proposal to exploit the project.
Theoretically, any project that issues its governance token may possibly suffer from such an attack if the majority of the tokens are not held by goodwill actors.
In addition, with an innovative mechanism called “flash-loan” [6] being created by AAVE [7], a malicious actor could even launch such an attack without needing to hold governance tokens. He can leverage a flash-loan to borrow a large number of governance tokens to enforce a proposal to be passed or submitted for execution by paying only a few fees.
Since 2020, various DeFi applications have suffered from these attacks [8][9][10] and the loss of such an attack has been trending increasingly high these years.
Nowadays it has become a major attack on a dApp that uses a DAO to govern its decision-making process. And these attacks are commonly referred to as “governance attacks”.
Like the security issues we discussed in phase II, most of the projects that suffered from a governance attack are not due to vulnerabilities in their smart contracts but due to vulnerabilities in the design of their governance rules or mechanisms.
Nevertheless, governance attacks still haven’t gained adequate awareness compared to attacks on smart contracts.
We think governance attacks will be more popular as more dApps tend to use DAOs. Therefore
Fairyproof has been watching the development of governance attacks. We are not only researching this topic but also have developed utilities to tackle the challenges in this area.
Governance attacks are a new kind of attack that specifically pertains to blockchain applications. They are more complicated than attacks on smart contracts. They are a big challenge to both dApp teams and security companies. We will keep working in this area and publish more articles sharing our research results going forward.
References:
[1] Decentralized autonomous organizations (DAOs), https://ethereum.org/en/dao/
[2] The DAO (organization), https://en.wikipedia.org/wiki/The_DAO_(organization)
[3] Ethereum Classic, https://en.wikipedia.org/wiki/Ethereum_Classic
[4] MakerDAO, https://makerdao.com/
[5] Compound Governance,
https://medium.com/compound-finance/compound-governance-5531f524cf68, Feb 27, 2020
[6] Flash Loans, https://docs.aave.com/faq/flash-loans
[7] AAVE, https://app.aave.com/
[8] Build Finance DAO Suffers Governance Takeover Attack,
https://cryptobriefing.com/build-finance-dao-suffers-governance-takeover-attack/, Feb 15, 2022
[9] Beanstalk founders dismissed concerns about governance attacks before losing $182 million, https://www.theverge.com/2022/4/22/23037325/beanstalk-dismissed-governance-attacks-lost-182-million, April 22, 2022
[10] Fairyproof’s Analysis of the Attack on Fortress Protocol,
https://medium.com/coinmonks/fairyproofs-analysis-of-the-attack-on-fortress-protocol-6fb2df687845, May 9, 2022
Join Coinmonks Telegram Channel and Youtube Channel learn about crypto trading and investing