Decentralized autonomous organizations, or DAOs, are growing in popularity alongside the rise of blockchain assets and platforms. While DAOs allow for new levels of equal cooperation among their members as well as profit-sharing, they struggle when it comes to security and governance. These problems need to be addressed before DAOs can reach their potential and see broader implementation.
DAOs’ security gaps
DAOs remove a traditional, centralized form of governance and replace it with one where all community members can propose and vote on future changes to a project or organization. Usually, voting weight is proportional to the amount of governance tokens held in a given wallet.
Because of this, DAOs are considered more inclusive and equitable than more traditional leadership models and are quickly becoming the standard for how decentralized projects are run. This makes sense, as the same mechanisms that define a given platform can also form the basis for its governance. It’s also more than likely that this trend will continue, but there is an emerging problem — the issue of DAO security.
DAOs have a couple of key points for potential security concerns. One comes from the smart contract code itself. If this code isn’t airtight, then not only can glitches arise, but so can exploits. Should an attacker find any crack in the code’s logic, then they can potentially completely undo a DAO’s structure or tokenomics. This puts a lot of pressure on developers to get their smart contracts flawless before being deployed, or else a whole project can be destroyed in minutes.
For an example of this type of risk, look at what recently happened surrounding Temple DAO. Temple DAO was designed to allow users to grow their value while getting minimum exposure to volatility. Unfortunately, due to a weakness in the code, an attacker was able to forge old staking contracts and arbitrarily move balances, which resulted in US$2.3 million being drained from the DAO. This isn’t an isolated incident in terms of smart contracts having flaws, and it highlights how easy it is for problems to slip under the radar.
The other major area for concern is the nature of DAO governance. To this day, many DAOs still only implement token-weighted voting. The problem is that those with deep pockets can have a disproportionate impact on the future of the project, and can even derail a DAO entirely. Centralization can also creep in through a slightly more subtle mechanism, where multiple entities with large stakes privately collude against the good of the community.
A recent event that highlights DAOs’ governance vulnerability comes from Mango Markets, a decentralized exchange built on Solana and managed by the Mango DAO. An attacker initially bought a large amount of MNGO tokens to open a long position, used even more tokens to pump the price of the asset, and then cashed out their position. This drained a significant amount of funds from the DAO and placed them with the attacker. The attacker then used their majority stake to propose and approve that they be given the remaining funds from the DAO.
One more issue that emerges as a result of these previous two points has to do with authority and response time. Even if an attack is detected by the DAO early on, there might be no entity that can quickly react to halt the flow of transactions and stop an attack on its own. Major decisions such as that would require a community vote, and only after that has been settled will the resulting actions be taken. Of course, this can take some time depending on the size and availability across all members. Even a delay of one or two hours can be enough for massive damage to be done. Imagine a bank being robbed in real time, but security isn’t able to enact any type of response until the entire board of directors had taken a vote on it, and you get the idea.
Fortifying DAOs against attacks
There are multiple, important things that DAOs can and need to do if they want to mitigate these risks. By building a more comprehensive system of checks and balances, security within a DAO can be tightened up significantly.
First and foremost is an extensive quality control process for smart contract code that includes audits. Comprehensive and independent audits of the code being deployed must occur, and regularly if the code is still evolving. Audits are the last line of defense against security bugs going into production and their importance can’t be overstated. Having a thorough line-by-line examination of all code by a third party is the best way to achieve a reasonable level of safety before release. Beyond simply looking at a project’s own smart contracts, other protocols that DAOs interact with such as third-party token assets and DeFi markets should also be scrutinized, as some issues only become apparent when multiple protocols integrate in previously unexpected ways.
Next, DAOs need real-time network monitoring. This means publicly available software to track and display the goings on of the whole ecosystem as they unfold. This can catch issues happening as they occur, by documenting moments when large transactions happen or other curious metrics arise.
In order to capitalize on the benefits of audits and monitoring, there also need to be well-defined roles for members of the DAO to respond to these events. Certain members or groups of members must be held responsible for reporting suspicious activity or explicit flaws discovered. There needs to be a chain of command so that sensitive information is only given to the correct people until a solution is found. Ultimately, the protocols for identification, dissemination and reaction should all be understood by the members who need to engage them, or else confusion and chaos could ensue.
Lastly, there also needs to be channels for clearly and transparently communicating with the community. Getting out the pertinent information in a timely manner is very important to show that the project is in good hands. It is also helpful to encourage decentralized security solutions by bringing the larger user base in on both the development and feedback of new systems.
DAO security isn’t a simple thing. There isn’t one strategy that covers all scenarios. Furthermore, it is a field that is still growing and evolving. This means nobody truly knows every possible security issue that may one day arise, nor its solution. However, there is a lot that can be done today to bring DAOs much more in line with the level of safety that they’ll need to see wider adoption. The keys lie in both gathering information as well as knowing what to do with it. By implementing the latest practices, there’s no reason million-dollar losses need to keep happening to these organizations.