On June 28, we hosted @Infinitesn4ke in our Web3 Security Podcast to talk about DAO Security. Infinites4nake has an extensive background in security, focusing most of his work in crypto security. He also writes about various web3 issues, including one of his most recent articles on the complexity of governance hacks. This topic was inspired by the trendy nature of DAOs in the past year, that although usually mean well, they tend to live in legal obscurity and lack security measures.
This conversation was informative, thought provoking, but also hopeful for a better tomorrow. If you haven’t listened to the podcast, you can do it here, and for more updates on future podcasts, make sure to follow Hats Finance on Twitter.
Now, let’s break down some of the topics discussed in the podcast:
What is REALLY a DAO?
DAOs stand for Decentralized Autonomous Organizations. In a simpler way, a DAO is a group of people coming together towards one shared goal in which all participants can be an owner and shareholder. DAOs disrupt the way we think about hierarchical structures of power by creating accessible entry to people regardless of income, national origin, or credentials. Some people like to compare DAOs to what we know today as worker cooperatives, which are autonomous associations of people to meet their common economic, social, and cultural needs and aspirations through a jointly-owned and democratically controlled enterprise.
Some might argue that worker cooperatives and DAOs are very much the same, and DAOs are neither autonomous or decentralized. So why do we use DAOs? The value proposition of DAOs is that they decentralized ways of raising funds, often creating a large treasury of tokens. The legal obscurity of DAOs allow projects to raise money quickly without having to go through legal processes. This can introduce issues in the future in regards to legality and security, especially with the rise of rug pulls and exploits.
Security Risks in DAOs
DAOs, like projects, face many security risks. Some of the most common ones include:
Rugpull: Malicious maneuver in which founders abandon their project and run away with investors’ funds.
Airdrop scams: Tactic often used by malicious actors that consist in luring users to participate in an airdrop and ultimately gives users’ permission to transfer funds out of their wallet.
Discord related scams: This often happens as impersonation or phishing scams where users participate in behavior that cost them their funds.
Governance hacks: Similar to a hostile takeover in web2, it usually involves a complex exploit that finds vulnerabilities of governance models. The most popular example recently happened to Beanstalk losing $180M to a complex governance hack.
The current state of DAOs
In the past year, DAOs have gained a lot of popularity in the crypto community. The name gets thrown around so often that at some point it feels like everything in crypto is a DAO. What many don’t realize is that from an operational standpoint DAOs have many flaws, including group chat dynamics, voting mechanisms, and community participation. Many DAOs heavily rely on Discord to operate their community, which can get messy and disorganized, and when it comes to proposal voting, only a small percentage of members actually vote. From a security perspective, things have evolved, but there are still a lot of issues, especially when it comes to founders abandoning projects, wallet drains, and project hacks. On the bright-side, there is a lot more information available, and we are continuously innovating towards better solutions.
Envisioning a better DAO
The DAO we know today is not ready for mass adoption. There are still many problems to solve, and the only way to do it is by asking ourselves the hard questions, and finding operational methods that are effective. One bigger question we need to answer is how decentralized should DAOs be and at what point do we allow regulation and policy to be part of it. We remain hopeful for the future of DAOs, and strongly believe bear markets are the best time to build these solutions.