Cointime

Cointime

Download App
iOS & Android

The State of DAO Security

ConsenSys

Validated Project

by Marta Piekarska

Digital asset hacks are becoming a top concern for the Web3 ecosystem. Nearly $3B have been stolen in hacks so far this year, almost double of the value lost in all of 2021. By these numbers, 2022 is set to be the biggest year in terms of crypto hacks, with exploits ranging from compromised wallets, to insecure smart contracts, and more. Unsurprisingly, security has been a big topic for decentralized autonomous organizations (DAOs) as well. 

We went out and asked some of the top DAOs, including Polygon, Moloch, and Lido, what they thought about the security of DAOs. We’ve grouped our findings under themes such as governance, treasury, and smart contracts. But first, let’s go back to the hack that led to an Ethereum hard fork in 2016.

The DAO Hack

The vulnerabilities of DAOs were exposed with the formation of the first DAO itself. If this was before your time, here’s a quick refresher on what happened: Simply called The DAO, it was formed in 2016. The idea was that investors would put money in, receive tokens and vote on projects developed by the DAO. In a month, the DAO was able to raise $150M from 11k investors.

Unfortunately, before the token sale ended, a vulnerability in the smart contract wallet was found. The team began fixing the issue, but attackers were able to exploit another bug: they made a small contribution and then requested a withdrawal with a recursive function, stealing 3.6M ETH of the 15M ETH in the treasury. The stolen ETH was worth $60M at the time.

Security Concerns for DAOs today

The DAO hack was a pivotal moment in Ethereum history and provided important lessons for the community in what not to do. Six years later, while DAOs are booming, hacks are also happening almost every month. 

Some top concerns that DAOs today have are around governance, smart contracts and treasury. Let’s do a deep dive into each topic.

Governance

Decentralized notifications is one area where we haven’t yet found a good solution. If an attacker is able to block notifications, they can also then sneak bad proposals through without a majority of the DAO noticing. 

Often a proposal requires complicated multicall transactions. These rely on expert knowledge of an ‘operator’ class. If the DAO doesn’t have a culture of auditing and analyzing the proposals, attackers can leverage it to pass proposals with complex outcomes.

Another concern for DAOs is bad configuration. If a DAO is set up incorrectly, with wrong thresholds and timelocks, it creates an opportunity for bad actors. Poorly designed incentives with black swan externalities can also undermine the token’s objective.

Spam is still a big issue for DAOs, especially on gasless sidechains, where people are not disincentivized to spam. Dropping 40k proposals on a DAO can break frontends and make it really hard to filter bad and good ones. This leads to gridlock and the possibility for invalid proposals to get through.

Decentralization can be hard to achieve, especially with small DAOs or early stage ones. DAOs, much like the blockchain that forms the basis of a DAO, are vulnerable to a governance attack, where attackers can borrow a large amount of the governance token to push through a proposal. Tron already (unsuccessfully) tried this, where some players borrowed a lot of COMP to push forward a proposal to add TUSD as an asset to Compound. While the proposal was outvoted, it shows a serious security concern, particularly for protocols with autonomous governance like Compound where the proposals, if passed, will actually change the deployed code to effectuate the change. There is also a risk of “behind the door” coalitions if the community is effectively a group of friends or even a handful of wallets. 

Member apathy is another huge security threat to a DAO – from the above mentioned lack of thorough reviews of proposals to low decentralization. DAOs are really a way to facilitate interactions between humans and technology. Humans tend to be messy, disorganized and lack focus. Technology – meaning smart contracts -= requires logic, sterile code and clarity. Systems can only account for what the creators planned for, and an active community continuously evaluating the state of the DAO is crucial. At the start of a DAO, there often will be some key figures who lead the community to a vision. However, in order to achieve decentralization, the leaders need to step away and allow others to take over. If the community too heavily relies on the leaders, it can lead to big problems.

Smart Contracts

At times, DAOs have hidden back doors and upgradability. Even if the backdoors are set up with best intentions, as escape hatches, they always need to be properly disclosed. Transparency is crucial to make sure that such a “feature” doesn’t turn into a bug. 

Some of the greatest hacks exploit the quality of code of the protocols. Today, we rely on vetting the quality of teams and making sure that the code goes through multiple audits, but that doesn’t always catch all the bugs. 

Generally early stage blockchains and bridges don’t pay attention to significant distribution of their validator sets, which leads to greater risk of key compromise.

Treasury

Treasury security is a very difficult topic and yet many projects decide on ⅔ multisig which is way too low. It does mean efficiency in execution but is easily exploitable. In general, convenience gets in the way of security a lot. 

Lack of regulation has also emerged as a security concern for DAOs. Recent action by the Commodity Futures Trading Commission against Ooki DAO has created some concerns in the community about the path that regulators might take on DAOs. The CFTC has said that it would treat DAOs as other incorporated entities in the US, and DAO members and many Web3 players are challenging this court. The biggest issue with this is that we don’t really know where DAOs fall in the regulatory world. Thankfully there are geographies such as Wyoming and Channel Islands where you can incorporate your DAO – and places such as Bermuda  that are actively exploring the topic. 

As in every part of our life, a general lack of respect for security is a threat. Members of a DAO should be deploying standard operational security via password managers, having some form of local threat detection downloaded on the computer, using cold wallets, etc.

Conclusion

While DAOs have evolved and matured over the years, they still face many security challenges. Hacks are painful, and we need to do better to prevent them from happening. While we may not have arrived at concrete solutions so far, some examples are noteworthy. GovernorDAO is trying to solve for governance attacks with biometric authentication of Ethereum wallets. Decentralized identifiers are also one way to ensure the uniqueness of wallet addresses.

Identifying your vulnerabilities and putting safeguards in place to manage risk is an important factor for DAOs to keep in mind. Are there other areas of concern that you have questions about or suggestions on how you’ve been able to mitigate these concerns? Let us know.

DAO smart contract
Comments

All Comments

Recommended for you

  • BTC breaks through $97,000

    the market shows BTC breaking through $97,000, now trading at $97,011.43, with a 24-hour increase of 0.85%. The market is volatile, please manage risks.

  • The JuCoin ecological project JuChain has been launched on the main network, and the public chain co construction summit will be held. The ecological debut protocol is Butterfly

    Cointime News:JuCoin's self-developed public chain JuChain has been launched on the main network. The JuChain Public Chain Co construction Summit initiated by JuCoin will be held on May 15, 2025 in Bangkok, Thailand. The conference will release the first ecological agreement--

  • BTC breaks through $96,000

    the market shows that BTC has broken through $96,000 and is now trading at $96,014.98, with a 24-hour increase of 1.15%. The market fluctuates greatly, so please manage your risks well.

  • Martin Young ·

    North Carolina House passes state crypto investment bill

    North Carolina’s House passed a bill to allow the state treasurer to invest government funds in approved cryptocurrencies with a 71 to 44 vote.

    North Carolina House passes state crypto investment bill

  • JuCoin CEO: UX design in the encryption industry needs to pay attention to user emotional details to enhance user experience

    Cointime News: JuCoin CEO Sammi Li delivered a keynote speech at the TOKEN2049 conference, analyzing the current challenges in user experience (UX) design in the cryptocurrency industry. Sammi Li believes that the existing encryption product experience fails to effectively empathize with users, often leading to usage anxiety, which hinders the large-scale adoption of Web3. Combining her rich experience in the luxury goods industry, she emphasizes that building trust relies on paying attention to user emotions and critical moments of interaction, and constructing it through details rather than simply technical presentations. JuCoin is applying these user centered design principles to its Web3 ecosystem construction, aiming to lower user barriers and enhance user experience by optimizing JuChain and related product designs. It calls on the encryption industry to think together and place user experience at a more core position.

  • Xiongan New Area: Combining blockchain with digital RMB to launch "Digital Currency Loan" product, with payment amount of nearly 100 million yuan

    On January 11th, according to the Xiong'an Public Account, the digital RMB pilot in Xiong'an New Area has achieved new results. The first digital RMB tax payment transaction in the financial field has been completed, and self-service tax terminals have been developed. The "blockchain + digital RMB" technology is applied to government procurement management, increasing the proportion of advance payment and landing multiple applications to solve corporate problems. In 2024, the People's Bank of China Xiong'an New Area Branch, together with the Xiong'an New Area Reform and Development Bureau, will launch the "Implementation Plan for the Deepening of the Pilot Work of Digital RMB in the Rongdong Area", to enhance public awareness. By combining blockchain with digital RMB, the "digital currency loan" product will be launched, with a payment amount of nearly 100 million yuan.

  • Fardi Wang, Chairman of NEXUS 2140: AI•Web3•Ecom Global Expo, Made Appearance at Meta Crypto Oasis 2025 in Dubai

    Fardi Wang, Chairman of NEXUS 2140: AI•Web3•Ecom Global Expo, recently appeared at the Meta Crypto Oasis 2025 in Dubai, joining global Web3 leaders such as Justin Sun (Founder of TRON) and Chris (Co-founder of Sonic) to discuss the future of the industry. As the first cross-industry event integrating AI, Web3, and E-commerce, NEXUS 2140 is accelerating its international expansion through Fardi Wang’s active participation. At the summit, Fardi Wang emphasized that the integration of virtual and real-world assets is the key breakthrough for the Web3 ecosystem. He mentioned: “NEXUS 2140 is leveraging Korea’s policies, technological strengths, and ecosystem advantages to build a global industrial hub.” His insights received strong recognition from attendees, and the Dubai visit further amplified the international influence of the event, injecting new momentum into global digital economy collaboration.

    Fardi Wang, Chairman of NEXUS 2140: AI•Web3•Ecom Global Expo, Made Appearance at Meta Crypto Oasis 2025 in Dubai

  • Binance Wallet’s New TGE B² Network is Now Available for Investment

    according to official page data, Binance Wallet's new TGE B² Network is now open for investment, with an end time of 18:00 (UTC+8). The participation threshold for this TGE is that Alpha points must reach 82 points.

  • The price of ALPACA perpetual contract on Binance platform rose by more than 25% in the past 5 minutes

    the current price of ALPACA perpetual contract on the Binance platform has risen by over 25% in the past 5 minutes, now falling back to $1.3683. At the same time, the spot price of ALPACA is $1.22, showing a significant price difference.

  • Cointime精选 ·

    Left-Curving DAOs

    For the past twenty one days I have been obsessed with a decentralized project called Higher. If interested in the origin lore you can read more here.

    Left-Curving DAOs

Daily Must-Read

Popular Activities

RaveDAO at Terra Solis by Tomorrowland: A Female-Led Techno Night Where Web3 Culture Converges

RaveDAO at Terra Solis by Tomorrowland: A Female-Led Techno Night Where Web3 Culture Converges

April 30 - April 30
Dubai

Popular Tags

Cointime
News
Contents
RSS
Company
Cointime

Hot Coins

Trending