BitInsight
BitInsight

Governance Attacks

2026-01-296 min read read

What is a Governance Attack

A governance attack is exploiting a DAO's decision-making process to gain unfair benefits. It targets vulnerabilities in governance mechanisms rather than the protocol itself.

Attacker Goals:

  • Treasury fund theft
  • Protocol parameter manipulation
  • Acquiring token minting authority

Attack Types

1. 51% Attack (Majority Attack)

Method:

  • Acquire majority of governance tokens
  • Pass malicious proposals
  • Drain treasury, etc.

Characteristics:

  • Requires massive capital
  • Long-term accumulation or token purchase
  • Easily detectable

2. Flash Loan Governance Attack

Method:

  • Borrow large amounts of governance tokens via flash loan
  • Instantly exercise voting power
  • Return tokens within same transaction

Characteristics:

  • No capital needed
  • Quick execution
  • Defensible with snapshot-based voting

3. Malicious Proposals

Method:

  • Hide malicious logic in complex code
  • Disguise as normal proposal
  • Pass when review is inadequate

Characteristics:

  • Requires technical expertise
  • Community review provides defense
  • Timelock provides discovery time

4. Vote Buying

Method:

  • Bribe token holders
  • Pay for votes on specific proposals
  • Utilize platforms like Votium

Characteristics:

  • Legal/illegal boundary is murky
  • Normalized in Curve Wars
  • Not direct fund theft

5. Social Engineering

Method:

  • Manipulate community
  • Spread false information
  • Abuse trust

Beanstalk Attack Case Study

Background

Beanstalk:

  • Algorithmic stablecoin protocol
  • BEAN token
  • TVL ~$180M

Governance Structure:

  • Voting with Stalk tokens
  • Proposals executable immediately (no timelock)
  • No flash loan defense

Attack Process (April 2022)

1. Fund Acquisition:

  • $1B flash loan from Aave
  • Mostly DAI, USDC, USDT

2. Stalk Token Acquisition:

  • Massive BEAN purchase with flash loan funds
  • Deposit into Curve pool -> Acquire Stalk
  • Instantly gained 67% voting power

3. Pass Malicious Proposal:

  • BIP-18: Transfer entire treasury to attacker address
  • Immediately passed with 67%

4. Fund Theft:

  • $180M treasury stolen
  • Money laundered through Tornado Cash

5. Repay Flash Loan:

  • Repay flash loan with remaining funds
  • Net profit: ~$80M

Attack Summary

Flash loan $1B
    |
    v
Buy BEAN + Deposit -> Acquire Stalk
    |
    v
Pass malicious proposal with 67% voting power
    |
    v
Steal $180M treasury
    |
    v
Repay flash loan
    |
    v
Net profit ~$80M

Vulnerability Analysis

1. No Flash Loan Defense:

  • Could vote with current block balance
  • Not snapshot-based

2. No Timelock:

  • Immediate execution upon proposal passage
  • No review/response time

3. High Voting Power Concentration:

  • Could acquire 67% in single transaction

Other Attack Cases

Build Finance (2022)

Damage: ~$470K

Attack:

  • Accumulated governance tokens at low prices
  • Passed treasury theft proposal
  • Long-term accumulation approach

Tornado Cash Governance (2023)

Attack:

  • Hidden code in malicious proposal
  • Granted 10,000 TORN additional voting rights
  • Complete governance takeover

Notable:

  • Malicious code hidden in proposal itself
  • Community review failure

Mango Markets (2022)

Damage: $114M

Attack:

  • Price manipulation + governance extortion
  • Not direct governance attack
  • Fund return negotiation

Defense Mechanisms

1. Snapshot-Based Voting

Principle:

  • Vote based on balance at specific past block
  • Neutralizes flash loan instant acquisition

Example:

  • Balance at block -1 from proposal creation
  • Or specify specific block number

2. Timelock

Principle:

  • Waiting period from proposal passage to execution
  • Response time when malicious proposals are discovered

Common Settings:

  • 24 hours to 7 days
  • Varies by importance

3. Quorum Requirements

Principle:

  • Require minimum participation rate
  • Prevent minority attacks

Example:

  • At least 4% of total supply participates
  • Or specific token amount minimum

4. Proposal Threshold

Principle:

  • Require minimum tokens to create proposal
  • Deter spam/malicious proposals

Example:

  • Uniswap: 2.5M UNI (~0.25%)
  • Compound: 100 COMP

5. Guardian/Emergency Authority

Principle:

  • Authority to halt execution in emergencies
  • Multisig or specific addresses

Caution:

  • Centralization element
  • Potential for abuse

6. Vote Escrow (veCRV Method)

Principle:

  • Long-term token locking -> voting rights
  • Neutralizes short-term accumulation/flash loans

Example:

  • Curve: Lock CRV up to 4 years -> veCRV
  • Voting power proportional to lock duration

7. Gradual Execution

Principle:

  • Execute major changes in stages
  • Cannot move entire treasury at once

Defense Checklist

Protocol Design

  • Snapshot-based voting (flash loan defense)
  • Timelock (minimum 24 hours)
  • Appropriate quorum requirements
  • Proposal threshold
  • Emergency pause mechanism
  • Automated proposal code review

Community

  • Review all proposals carefully
  • Alert on suspicious proposals
  • Monitor large token movements
  • Watch new large holders

Token Holders

  • Choose delegation carefully
  • Review major proposals directly
  • Report suspicious activity

Governance Security Dilemma

Decentralization vs Security

Problem:

  • Full decentralization = Vulnerable to attacks
  • Enhanced security = Introduces centralization

Guardian Dilemma:

  • With emergency authority = Centralized
  • Without = Cannot respond to attacks

Participation vs Efficiency

Problem:

  • High quorum = Low pass rate
  • Low quorum = Minority rule

Current Compromise

Most protocols:

  • Snapshot + Timelock + Quorum
  • Guardian authority (limited)
  • Gradual decentralization

Governance Attack Response

When Attack is Discovered

  1. Immediate Alert: Discord, Twitter, etc.
  2. Activate Guardian: Emergency pause
  3. Mobilize Community: Opposition votes
  4. Consider Legal Action: If possible

After Successful Attack

  1. Assess Losses
  2. Analyze Vulnerabilities
  3. Rebuild Protocol (Fork)
  4. Establish Compensation Plan
  5. Strengthen Defense Mechanisms

Summary

Governance attacks exploit DAO decision-making processes to gain unfair benefits such as treasury theft. The Beanstalk case is a representative attack that used flash loans to instantly acquire voting power and steal $180M. Key defenses include snapshot-based voting (flash loan defense), timelocks (response time), quorum requirements, and emergency pause authority. There's a tradeoff between complete decentralization and security, and most protocols use combinations of defense mechanisms. Active community monitoring and proposal review is the last line of defense.

Next article: Complete DeFi Risk Guide - For Safe DeFi Participation

PreviousDAO Governance - Decentralized Decision MakingNextComplete DeFi Risk Guide - For Safe DeFi Participation