Below the fold I look at these problems.
The DAO was the first major "smart contract". Even after it had been exploited on 17th June, 2016 for $50M of notional value, the front page of its web site announced:
The DAO’s Mission: To blaze a new path in business organization for the betterment of its members, existing simultaneously nowhere and everywhere and operating solely with the steadfast iron will of unstoppable code.The basic idea was:
The DAO was intended to operate as "a hub that disperses funds (currently in Ether, the Ethereum value token) to projects". Investors received voting rights by means of a digital share token; they vote on proposals that are submitted by "contractors" and a group of volunteers called "curators" check the identity of people submitting proposals and make sure the projects are legal before "whitelisting" them.As it turned out, although the code of the DAO was immutable, the Ethereum platform on which it ran wasn't. The Ethereum community decided to hard-fork so as to return the ETH in the DAO to its original owners. The exploited chain continued as Ethereum Classic, currently "worth" $18.03 versus the forked chain's ETH $1811.
The upshot was that people realized that deploying immutable software meant that any bugs could not be fixed, and that in the real world where the bounty for a bug might be in the millions of dollars this wasn't a risk worth running. So the concept of voting to govern a DAO's actions was extended to include voting to mutate the code, so they became IINO (Immutable In Name Only).
What are the problems with the idea of voting to control, and in particular to update, a DAO? Here is my list:
- Voting takes time
- Voting requires disclosure
- Who are the voters?
- Can the voters understand the proposal?
- Will the vote be effective?
Voting takes timeIn On Trusting Trustlessness I wrote:
If a "smart contract" needs to be upgraded to patch a bug or vulnerability, or to recover stolen funds, the multisig members need to (a) be told about it, and (b) be given time to vote, during which time anyone who knows about the reason can exploit it, so (c) keep it secret. Benjamin Franklin wrote “Three may keep a secret, if two of them are dead.” This was illustrated by the $162M Compound fiasco:
"There are a few proposals to fix the bug, but Compound’s governance model is such that any changes to the protocol require a multiday voting window, and Gupta said it takes another week for the successful proposal to be executed."Compound built a system where, if an exploit was ever discovered, the bad guys would have ~10 days to work with before it could be fixed. This issue is all the more important in an era of flash loan attacks when exploits can be instantaneous.
Voting requires disclosureI discussed this problem in last September's Responsible Disclosure Policies:
The fundamental problem ... is this:
This problem is particularly severe in the case of upgradeable "smart contracts" with governance tokens. In order to patch a vulnerability, the holders of governance tokens must vote. This process:
- Cryptocurrencies are supposed to be decentralized and trustless.
- Their implementations will, like all software, have vulnerabilities.
- There will be a delay between discovery of a vulnerability and the deployment of a fix to the majority of the network nodes.
- If, during this delay, a bad actor finds out about the vulnerability, it will be exploited.
- Thus if the vulnerability is not to be exploited its knowledge must be restricted to trusted developers who are able to ensure upgrades without revealing their true purpose (i.e. the vulnerability). This violates the goals of trustlessness and decentralization.
If cryptocurrencies are not decentralized and trustless, what is their point? Users have simply switched from trusting visible, regulated, accountable institutions backed by the legal system, to invisible, unregulated, unaccountable parties effectively at war with the legal system. Why is this an improvement?
- Requires public disclosure of the reason for the patch.
- Cannot be instantaneous.
Who are the voters?As with stocks, the idea of "one token one vote" sounds great but ignores the extreme Gini coefficients of cryptocurrencies. Andrew R. Chow quotes Vitalik Buterin as:
scornful of the dominance of coin voting, a voting process for DAOs that Buterin feels is just a new version of plutocracy, one in which wealthy venture capitalists can make self-interested decisions with little resistance. “It’s become a de facto standard, which is a dystopia I’ve been seeing unfolding over the last few years,” he says.This ignores an even bigger problem, because it isn't just the VCs or the whales that hold huge stashes of these tokens, it is the exchanges holding them on account for their customers. Strangely, five years earlier Buterin had described a problem:
In a proof of stake blockchain, 70% of the coins at stake are held at one exchange.
This problem is exacerbated by the availability of flash loans, allowing an attacker cheaply and instantaneously to acquire temporary voting power.
An October 2020 example of a flash loan attack on DAO governance was what BProtocol did to MakerDAO:
BProtocol used 50,000 ETH to borrow wrapped ETH from decentralized exchange dYdX. It put the wrapped ETH on Aave protocol to borrow $7 million in MKR governance tokens, which allow holders to vote on proposals affecting Maker’s operations. It locked those tokens to vote for its proposal, then unlocked them to return the funds to AAVE and dYdX.A more recent example from April 2022 caused this — Beanstalk DeFi platform loses $182 million in flash-loan attack:
The decentralized, credit-based finance system Beanstalk disclosed on Sunday that it suffered a security breach that resulted in financial losses of $182 million, the attacker stealing $80 million in crypto assets.This attack should not have been a surprise, as Corin Faife reported in Beanstalk founders dismissed concerns about governance attacks before losing $182 million:
As a result of this attack, trust in Beanstalk's market has been compromised, and the value of its decentralized credit-based BEAN stablecoin has collapsed from a little over $1 on Sunday to $0.11 right now.
The decentralized finance (DeFi) platform detailed on its Discord channel that the attacker took a flash loan on Aeve, a liquidity protocol, and used their voting power from holding a large amount of the Stalk native governance token to pass a malicious proposal.
In the wake of the attack, chat logs and video evidence show that the founders were warned about the risk of exactly this kind of attack, but they dismissed community members’ concerns.
Though the attack shocked Beanstalk users — some of whom claimed to have lost six-figure sums of money — the threat of a governance attack was raised in Beanstalk’s Discord server months previously and in at least one public AMA session held by Publius, the development team behind the project.
Can the voters understand the proposal?Whoever the voters may be, just as with a ballot proposition in California, they will be presented with a written description of the proposal. But this isn't what they are voting on. In California, it is a set of changes to the law. In the case of governance tokens, it is a set of changes to the code. It is notoriously difficult to read law or code and determine exactly how it will function in every case.
This was recently demonstrated, as Molly White reports in Tornado Cash DAO suffers hostile takeover:
A proposal ostensibly to penalize cheating network participants in the Tornado Cash crypto tumbler project successfully passed by DAO vote. However, the proposer had added an extra function, which they subsequently used to obtain 1.2 million votes. Now that they have more than the ~700,000 legitimate Tornado Cash votes, they have full control of the project.The full details of how this was done are in this thread by samczsun:
The attacker has already drained locked votes and sold some of the $TORN tokens, which are governance tokens that both entitle the holder to a vote but also were being traded for $5–$7 around the time of the attack. The attacker has since tumbled 360 ETH (~$655,300) through Tornado Cash to obscure its final destination. Meanwhile, $TORN plummeted in value more than 30% as the attacker dumped the tokens.
The attacker now has full control over the DAO, which according to crypto security researcher Sam Sun grants them the ability to withdraw all of the locked votes (as they did), drain all of the tokens in the governance contract, and "brick" (make permanently non-functional) the router.
Be careful what you vote for! While we all know that proposal descriptions can lie, proposal logic can lie too! If you're depending on the verified source code to stay the same, make sure the contract doesn't have the ability to selfdestructSam Reynolds reports that:
The Tornado Cash token (TORN) is up 10% after a proposal submitted by a wallet address linked to a recent attack on the decentralized autonomous organization’s (DAO) governance state looks to reverse the malicious changes.Maybe this time the proposal's code will actually do what he says it does.
“The attacker posted a new proposal to restore the state of governance," user Tornadosaurus-Hex wrote in the Tornado Cash community forum, adding that there is a "good chance" that the attacker would execute it.
Tornadosaurus-Hex said that the attacker is reverting the TORN tokens they gave themself – which gave them a controlling share of the governance votes – back to zero.
Will the vote be effective?If the vote is to mutate some "smart contract" controlled by a multisig of all the tokens, it can become effective once a quorum of votes has been cast. But in many cases although the vote is presented as binding, it is in effect advisory. Here are Molly White's reports on a couple of recent examples:
Aragon DAO faces governance crisis:
In June and October 2022, the Aragon DAO — that is, all holders of the $ANT token or (later) their delegates — voted on several proposals supporting a move to place the Aragon treasury under DAO control. The treasury is a pool of crypto assets currently priced at around $174 million. However, the tokens continued to remain under control of the Aragon Association.
On May 9, 2023, the Aragon Association announced that they would not be following through with the treasury change, and instead would be "repurposing the Aragon DAO into a grants program". They attributed the decision to "coordinated social engineering and ￼51% attack" on the DAO that began shortly after a small portion of the treasury assets were transferred.
First Arbitrum DAO vote spirals into disaster: DAO rejects $1 billion spending proposal, but Arbitrum already started spending:
Arbitrum submitted a proposal for ￼DAO members to vote on various governance processes, as well as the distribution of 750 million ARB tokens to an "Administrative Budget Wallet" — tokens that were priced at around $1 billion.
The vote, which still has a day left before completion, is currently standing at 75% against and 25% in support. However, it was discovered that Arbitrum had already begun spending those 750 million tokens, including via the movement of a substantial amount of tokens, and "conversion of some funds into ￼stablecoins for operational purposes".