Huge thanks to the Nounder punk4156 and Ole for the insightful feedback.
Blockchains are highly adversarial environments.
On February 14th, the Build Finance DAO was targeted by a hostile takeover. A malicious actor was able to take control of the Build token contract and run away in profit by calling the minting function.
At block 14169198 the attacker submitted a proposal, requesting the ownership of the Build Finance token contract to 0xDCc8A38A3a1f4eF4d0b4984dCBB31627D0952C28.
On Build’s official discord, one of the developers alerted the community on what was going on and urged everyone to vote against the proposal.
Unfortunately, the message did not reach the community in time, as only one single address managed to vote against with 5001.17 BUILD, while the attacker had 5042.67 BUILD on his side.
From this time on, 0xDCc8A38A3a1f4eF4d0b4984dCBB31627D0952C28 had the complete control over the Build token contract. Minutes later, the attacker called the mint function several times (1, 2, 3) to drain the liquidity pools on running with roughly a net profit of $10.3k.
Four significant factors played a role in the success of the above attack:
- governors apathy
- low voting window frame
- weak proposals discovery
- inappropriate quorum threshold on such a delicate governed parameter (the ownership of the token contract)
A malicious actor owning 50% + 1 of the voting power (either directly or indirectly by bribing) could submit and execute a proposal that would drain the treasury.
This risk is exacerbated because not every governor is active, lowering the attack cost below the absolute majority threshold, as been seen in the Build Finance governors’ lack of response to the hostile takeover.
Several months ago, we published Nouns Governance Attack, where we took the NounsDAO structure and their treasury as a case study.
Today we would like to expand on the topic of the aforementioned article, namely on what can be done to further discourage an attack.
For those who are unaware, the NounsDAO is a decentralized collective governed by the holders of the Nouns, a fully on-chain generative NFT collection.
Every 24 hours, a Noun is generated and sold through an open auction, where the winner gets credited with both the NFT and the underlying voting power. One Noun holds one vote in the DAO. The collected funds from the auction are sent to NounsDAO treasury.
The team behind the creation of the Nouns (the Nounders) gets credited every ten auctions with a Noun, and, to ensure that no malicious proposals can be passed, they are currently credited with a special veto right as a last resort. Their nouns are themselves secured by a 4 of 8 multi-sig, which undergoes a further internal consensus.
The Nounders have been committed to removing the veto right. However, as soon as it is removed, the treasury gets exposed to a potential dishonest majority takeover.
It’s not possible to assert whether the current distribution of the voting power is healthy or not. At the time of the writing, the treasury has 20,394 ETH.
The DAO members are very aware of such a risk. Multiple meaningful discussions and ideas have popped out within the Discord channel and forum.
The fundamental problem to overcome is how to design a neutral system (the smart contract) operating within an adversarial environment (a dishonest majority) to be able to protect the honest minority, or, in other words, how to assert whether a proposal is malicious or not.
Let’s explore and expand some ideas:
1) Reserve Price
Every auction is backstopped by a reserve price calculated as the following
Once the auction ends, if the price is not equal to or greater than the reserve price, the auction is considered nullified, and the underlying Noun is burned. The reserve price would make the EV equal to 0 at most. However, i) it comes at the cost of not allowing a true price discovery on the auctioning cycle ii) it increases the barrier to entry to acquire a Noun iii) it relies on oracles to compute the total treasury value. Furthermore, zero-to-negative EV is assured only in a low inactive voters turnout, as shown in this example table.
Lastly, the proposal needs to be implemented since the start of the auctioning cycle. Otherwise, there’s no guarantee of any malicious party not being accumulating voting power below the unitary fair treasury value, assuring the attack EV to be positive.
The underlying idea is to enforce a function (either linear or exponential) on the required quorum, directly proportional to the contentiousness of the proposal. This will ensure a reasonable degree of agility on the DAO governance, where uncontested proposals will require a low quorum whereas highly contentious ones will require a higher quorum.
This proposal is a reasonable improvement overall compared to the fixed quorum in terms of scalability since it reduces the tradeoff space between friction and security. However, it’s still ineffective against a great dishonest majority voting power.
Pioneered by MolochDAO, the so-called rage-quitting is a function that allows every holder to exit the DAO by redeeming their NAV value share of the treasury (while burning their vote), calculated as
As punk4156 rightfully framed in the NounsDAO discord, while this proposal can protect the holders by giving them the opportunity to withdraw their share in the case of an attack, it comes with the high social cost of free riding.
Every entry under the fair treasury value per Noun essentially turns into a redeemable call option on the activities of the DAO at the expense of those who actively contribute while preserving the long underlying long exposure to ETH. This represents an economic incentive for free riders to join while not providing any meaningful contribution to the DAO, hence degrading the collective decision-making process quality.
4) Rage-quit & Migrate
An alternative rage-quitting mode is where the treasury value shares of whose rage-quit are sent to a brand new treasury contract. The event would de facto result in the network hard forking to oust the dishonest voting power. The flow would be as follow:
- A quorum threshold is reached.
- The Nouns owners who signal the rage-quit have their Nouns burned.
- All the contracts are redeployed 1:1, and all the Nouns metadata are passed to the constructor functions.
- The NAV shares get redeemed and moved to the new treasury contract.
While the proposal will not reduce the EV of an attack to 0 because an attacker would still be able to run away with a profit, it discourages free-riding over the basic rage-quitting implementation as the funds will be kept in the (new) treasury.
The event would technically be quite similar to a chain split. Social coordination around which the legit NounsDAO is will be required as the legacy Nouns and underlying contracts will keep existing. Furthermore, as in any hard fork, all the backward compatibility is broken - namely, all the analytics and related derivative projects.
5) Dynamic penalty
Governance participants will redeem their share of the treasury at each proposal, but instead of withdrawing their entire NAV value, a penalty is retained in the treasury proportionally to the consensus around the proposal, defined as
Below three penalty functions are presented, very different steepness (and flatness) of the curve can be shaped.
To a degree, a penalty disincentivizes free-riding while allowing the governors to exit at small-to-no cost if a contested proposal is submitted like it would be expected in the case of a malicious one. It is noted that from an attacker's standpoint, the incentive is to control the highest voting power possible, as the penalty is what will be left in the treasury by the ragequitters, meaning the EV of the attack increases linearly with the controlled voting power percentage. The higher an attacker controls the voting power (or the lesser the honest voting engages), the higher will be the profit they will run away with.
No presented solution is perfect as there’s no way to reduce the attack vector surface to zero on the fly. However, there exist measures to be implemented to harden the treasury against threats. A reserve price does not allow for governors’ apathy; rage-quitting comes at the high cost of free-riding; rage-quit & migrate is significantly disruptive. Therefore, discounting the benefits and the costs of each explored proposal, we do firmly believe that both dynamicquorumanddynamicpenalty will have to be implemented before removing the Nounders’ veto right, as they offer the best tradeoffs between scalability and security.
On a final note, we have not talked about bribing participants because there’s no analogous defense against it that comes without the cost of renouncing to the delegation system. Ultimately, the human factor remains very relevant. We hope the Nouns Governors will always be vigilant, engage against any adversarial proposal and not ever fall into bribing.