The Governance Attack Threat

Decentralized Autonomous Organizations (DAOs) use token-based voting to make decisions. While revolutionary in concept, governance systems are vulnerable to attacks by bad actors who accumulate enough voting power — through purchase, flash loans, or social manipulation — to pass malicious proposals.

Flash Loan Governance Attacks

Flash loans allow attackers to borrow millions of governance tokens for a single transaction. They use these borrowed tokens to vote on malicious proposals — such as transferring the treasury to their own wallet — then return the tokens in the same transaction. The attack costs nothing but generates potentially millions in stolen funds.

Accumulation Attacks

Patient attackers quietly accumulate governance tokens over weeks or months until they control enough voting power to push through proposals. With voter apathy common in DAOs (typical participation rates are under 10%), controlling 5-10% of tokens can be sufficient to dominate governance.

Social Engineering Governance

Rather than acquiring tokens, some attackers use social manipulation — building community trust, becoming moderators, or presenting themselves as technical experts — to influence votes on proposals that benefit them at the expense of other token holders.

Notable Attacks

• Beanstalk Farm lost 182 million USD to a flash loan governance attack in 2022
• Build Finance DAO was taken over by an attacker who minted new tokens and drained the treasury
• Multiple smaller DAOs have been silently taken over through patient token accumulation

Protection Measures

Effective DAO defense includes: time-locked proposals (mandatory delay between passing and execution), snapshot voting (votes based on token holdings at a specific block), quorum requirements, multi-sig treasury controls, and delegation systems that incentivize active participation.