Avoid governance attacks: Governance experience of blue-chip DeFi
This article compares the governance mechanisms of several blue-chip DeFi projects to see how they avoid governance attacks.
Author: 0xEdwardyw, Tokeninsight
Attacks on protocols in the crypto space occur from time to time, one of which is governance attacks. Attackers successfully gain control of the protocol's governance, mint a large number of tokens, and steal all the assets from the protocol's treasury. The most recent incident occurred in February, when a venture capital DAO - Build Finance - suffered a governance attack that led to the complete failure of the protocol. This article will compare the governance mechanisms of several blue-chip DeFi protocols to see how they avoid governance attacks.
Different Levels of Decentralized Governance
Source: OurNetwork: Deep Dive #2 -- Governance Extractable Value
In the early stages of a protocol's development, control is often managed by the development team and is controlled by a single key, which eliminates the possibility of governance attacks. As the protocol matures, the development team gradually decentralizes some control, and the protocol is managed in a multi-signature format. Those controlling the multi-signature may include the development team, key community participants, or major investors, etc. In this scenario, there is essentially no difference from the team fully controlling the protocol; it is still governed by trusted stakeholders together, and governance attacks remain impossible.
As the protocol further evolves towards decentralized governance, governance tokens are issued to completely distribute governance rights to the holders of these tokens. Significant changes to the protocol are decided by on-chain voting with governance tokens, and governance proposals that pass voting are automatically executed according to pre-set procedures. At this point, the issue of governance attacks may arise, and the protocol needs to carefully design its governance mechanism to prevent such attacks.
Example of Governance Attack on Build Finance
Build Finance is a protocol governed by a DAO, where governance token holders can vote to mint tokens and use the treasury. On February 9, a mediator in the protocol's Discord announced that someone had initiated a malicious governance proposal, which, if passed, would allow the attacker to freely mint protocol tokens. The community successfully voted to reject this proposal, and the first governance attack failed.
The attacker transferred their tokens to another wallet and initiated a second proposal. This time, the protocol's Discord bot did not detect the new proposal (under normal circumstances, the bot should detect new proposals and place them in a specific discussion area). This governance proposal passed on February 10 without anyone in the community noticing.
The Build protocol has a two-day time lock, and the governance attack proposal was approved on February 10. The development team announced on Twitter on February 14 that the attacker had completely taken control of the DAO and the token minting rights, minting 1.1 million tokens. The attacker sold all the new tokens on a DEX, rendering the protocol tokens worthless.
According to Build Finance's introduction on its Medium page, the protocol uses the Governor Bravo governance mechanism. Governor Bravo is a successful governance mechanism created by Compound Finance and is adopted by many blue-chip DeFi protocols, including Uniswap and AAVE.
Governor Bravo allows for the transfer of control over the protocol and treasury funds, giving attackers the opportunity to gain complete governance rights over the protocol. Despite being widely adopted by blue-chip DeFi protocols, this governance mechanism itself does not prevent governance attacks from occurring.
Successful Governance Models: Governor Alpha & Bravo
The Governor Alpha and its updated version, Governor Bravo, governance models from Compound Finance are widely used by many DeFi protocols. The governance process of Governor Bravo is as follows:
Source: Compound
To propose a governance proposal, 65,000 $COMP is required, and there is a two-day review period for the proposed proposal. After that, it enters a three-day voting period. If there are more than half of the votes in favor and at least 400,000 votes cast, the proposal is approved and enters a time lock. The time lock lasts for two days, after which the proposal will be automatically executed by the protocol.
Uniswap uses the Governor Bravo governance mechanism, and the governance process is similar to that of Compound. Uniswap has significantly raised the thresholds for proposing governance proposals and for the approval of governance proposals. Proposing a proposal requires 2.5 million $UNI tokens, which is approximately $25 million based on the price on February 21. The total number of votes required is 40 million $UNI, close to $400 million in value.
AAVE -- Modified Version of Governor Bravo
AAVE's governance model is similar to Governor Bravo but adds two elements. The first is to divide the time lock into fast and slow types. Governance proposals that are of lower importance and risk can be executed quickly through a fast time lock. In contrast, significant proposals require a slow time lock, allowing the community more time to respond. For example, if a governance attack proposal is passed, the slow time lock gives the community ample time to decide how to remedy the situation, such as whether to fork the entire protocol to a new address.
Another important element is AAVE's multi-signature guardian (AAVE Guardian). In the Governor mechanism, there is a Pause function. The Pause function can halt the protocol's minting, borrowing, transferring, and liquidation functions, but it cannot prevent governance attackers from passing a governance proposal with enough tokens. The guardian function allows for the direct cancellation of a proposal as long as it has not been executed, and it can be canceled at any point in the process. The guardian function is the most effective way to prevent any malicious governance proposals.
Security Measures
Many elements of Governor Bravo have already become the gold standard in governance, and regardless of how different governance mechanisms other protocols adopt, they all contain these elements to varying degrees.
Time Lock: Almost all protocols have adopted time locks. The buffer time between the proposal's approval and its execution by the system gives the community and token holders time to react. Theoretically, if users and token holders of the protocol have opposing views on a proposal, they can exit the protocol and sell their tokens during the time lock period. The longer the time lock, the stronger the protection for the protocol, but an excessively long time lock may prevent timely fixes when sudden system issues arise.
High Requirements for Proposal Approval: In the case of Uniswap, the value of tokens required to pass a proposal is very high, making the cost of conducting a governance attack extremely high. Moreover, the entire treasury of Uniswap consists of $UNI tokens, so even if an attack is successful and control of the treasury is obtained, the market price of $UNI would quickly drop, making the attacker's profits unlikely to exceed the initial costs.
Source: Tokeninsight Annual DeFi report
- Multi-Signature Guardians: As long as a malicious governance proposal is detected, this is the most effective way to prevent governance attacks. However, in a decentralized governance framework, determining who should be granted such significant power is a question. AAVE uses community voting to decide on 10 guardian members, and any proposal can be vetoed with the agreement of 5 of them.
Voting Mechanism of MakerDAO
MakerDAO has a completely different voting method from the aforementioned Governor governance mechanisms. In the Governor model, governance token holders vote on a governance proposal, and regardless of whether it is ultimately approved or rejected, this voting process terminates, and the governance tokens are returned.
MakerDAO uses a continuous approval voting system. The characteristic is that you vote on a proposal using governance token $MKR, and when this proposal is approved and executed, your $MKR remains within that proposal and is not automatically returned like in other voting mechanisms. Your $MKR can only vote on one proposal and cannot be re-voted. Therefore, if you want to vote on a new proposal, you need to manually withdraw your $MKR from the old proposal.
The condition for a new proposal to be approved is that the number of votes exceeds that of the last successfully approved proposal.
Source: MakerDao
For example, a proposal on February 25, 2022, received 82,001.5 $MKR votes and was approved, waiting for execution. If a new proposal needs to be voted on at this time, the number of votes required for the new proposal would be 82,001.5 $MKR (see the right side of the above image, System Info).
Earlier proposals that had already been voted on and executed, such as the proposal approved on January 24, 2022, and executed on January 26, can still show that 20,050 $MKR remain in that proposal and have not been manually withdrawn.
This voting method increases the threshold for new proposals to pass. Since many $MKR remain in old proposals, the number of tokens available for voting in the market decreases accordingly, requiring new proposals to attract users to manually withdraw their votes from old proposals.
Curve's Vote-Lock Governance Mechanism
In the Governor Bravo and MakerDAO's continuous approval voting system, each governance token represents one vote. Governance tokens can be traded on the open market or borrowed from lending protocols. Theoretically, as long as there is enough collateral, such as $ETH, one can borrow enough governance tokens, like $UNI. Borrowed governance tokens can be used to initiate governance attacks, eliminating concerns about costs; if $UNI drops to worthless, the attacker can return it to the lending protocol at no cost.
In the vote-lock mechanism, governance tokens themselves do not have voting rights; they need to be staked and locked as veCRV to gain voting rights. The locking period can last up to four years, and the longer the locking period, the greater the voting power, which decreases over time as the locking period elapses. This greatly reduces the feasibility of borrowing $CRV from the market for voting.
Popularity of the ve Mechanism
Since last year, the veto-lock (ve mechanism) governance mechanism has rapidly gained popularity and has been adopted by many new projects. One example is Izumi Finance, a project focused on liquidity as a service. Similar to Curve, Izumi has two types of tokens, $iZi and veiZi. After staking and locking $iZi, holders receive veiZi, which has governance rights but cannot be traded or transferred. Governance rights change proportionally with the locking period.
Emergence of New ve Mechanisms
The original ve mechanism cannot be traded or transferred. Recently, projects like Izumi Finance and Solidly, supported by Andre Cronje, have begun to experiment with a new model, veNFT.
After staking and locking $iZi in Izumi Finance, the result will be a veiZi NFT. The original governance tokens still cannot be traded, but the NFTs representing governance rights can be traded on NFT markets, such as Opensea. This method addresses the low capital efficiency issue of the ve mechanism, but discussions on what impact this will have on governance security have yet to emerge.
Conclusion
The governance mechanisms used by blue-chip DeFi protocols have stood the test of time, but they are not perfect, and issues will still arise from time to time. There is no 100% secure governance mechanism; security is achieved through a combination of different types of mechanisms. This includes a good governance mechanism, an active community, and an economic incentive mechanism to counteract governance attacks, making the potential gains from attacks unable to cover the costs.
In the field of risk management, there is a Swiss cheese theory. Each slice of cheese represents a risk control measure, but each slice has many small holes, just as each measure has its weaknesses. When these slices of cheese are stacked together, other slices can cover the holes in the other slices, significantly reducing the likelihood of risk events penetrating all slices.
Source: https://thedecisionlab.com/reference-guide/management/swiss-cheese-model/
Just like Build Finance, the community successfully vetoed the attacker's first governance attack, while the second attack passed because the community did not notice it. An active community serves as a line of defense against such attacks, preventing them from succeeding. Additionally, if the cost of initiating a governance attack is too high, it may deter anyone from attempting it.
Click to download the TokenInsight APP
