Governance Hacking: Swallowing Your Own Poison Pill

0x1588
May 10th, 2022

If you’re in Web3, you’re on Twitter and probably all the time (not judging, because so am I). And if you’re on Twitter, you’ve been following Elon’s purchase of Twitter. Elon’s purchase agreement (still subject to regulatory approval) aims to buy all shares of Twitter and take the company private. With Twitter’s being private, there would be no pressures from Wall Street, investors, and public demand to see the stock price increase. On the other hand, as a private company, Elon would have complete authority to govern Twitter. He would not have to answer to shareholders or a Board of Directors - well, that depends on how Twitter will be structured under his ownership. As a public company, there are a plethora of rules and regulations dictating how a company shall be governed - how decisions are made, who can make those decisions, how those people are elected, etc. etc. etc. A private company? That’s a different story.

Many people, especially those in Web3, have grown disenfranchised with the concepts of corporate structures, and perhaps rightly so. In recent decades, founders, early investors, and Wall Street have exploited SEC regulations to hoard corporate governance power in a very small number of hands. Companies issue stock in multiple classes with the class available to the public having zero voting rights. To pump the IPO price, companies sell large blocks of shares to institutional investors (Wall Street firms, funds, etc.) that block the public from ever being able to amass a substantial share in the company. Yes, the company may be “publicly traded” but the corporate governance has been manipulated to favor the founders, early investors, and institutions that control the most money.

But it doesn’t have to be that way. If a company floated all of their shares on a public market, and all of those shares held equal voting rights, you’d arrive at a highly decentralized governance structure. Yes, I know, this assumes we don’t live in a world with billionaires who can buy whole companies on whims, but we can dream can’t we? The SEC would be effective at limiting manipulation, as large shareholders have to disclose their identities. Shareholders could choose to proxy their votes or exercise their voting rights themselves. Yes, this model can be slow, requiring large groups to participate in governance to make critical decisions, but it prevents organizations from making decisions without a system of checks and balances.

For all you go-go Reagan-auts that staged a hostile takeover of the one company that could cure your terminal boneitis and ended up in the year 3000 (and if you get that reference, we’re already friends), I can see you with your arms folded, scoffing at my quaint governance models and decentralized share structures, while you admire your Gordon Gekko posters and expertly embossed business cards. I can hear you already, “put all your shares on the market and I’ll take enough to take over the company!” While barging into a corporate boardroom with a briefcase and a small army of lawyers makes for a sexy representation of a hostile takeovers, real “hostile” takeovers are less Gordon Gekko and much more Carl Icahn.

Hostile takeovers, just like Carl Icahn, aren’t nearly as sexy as they sound. Film depictions make takeovers appear to be something that happens in secret, and the “corporate raider” barges into a boardroom, slams some paperwork on table and declares, “I own this company now and you’re all fired!” Remember all those governance structures and SEC rules I alluded to earlier? Yeah, they actually work. An actual “hostile takeover” occurs when a company or individual acquires a substantial stake in a company and then persuades other shareholders and board members to back their proposal to fire the current management in favor of their management plan. And most importantly, this process is very public. And it very much doesn’t happen with the slamming of paperwork on a table to an audience of shocked management. There will be many votes. Both sides will push the edge cases of the governance model to its limits to give themselves a governance advantage. In the case of Twitter, they launched a common tactic - the poison pill - to try and ward off Elon’s takeover attempt. Nevertheless, Elon was able to make an offer and sway enough voting power within Twitter to accept his bid. It was a very public process that began in January of 2022 resulting in a successful takeover at the end of April 2022. What makes a takeover hostile? Not everyone agrees, and not everyone has to agree for the vote to pass - just enough as declared in their governance structure.

The takeover of Beanstalk, on the other hand, was swift. Months? Weeks? Days? Try one block. Confirmed within 30 seconds. The damage? Approximately $76M worth of digital assets drained from the Beanstalk treasury. How is this even possible?

Beanstalk operates a decentralized and non-colleratilized stablecoin. If you’re already lost, no shame there, we could talk for days on the economics of stablecoins and only scratch the surface. The TLDR is that stablecoins attempt to peg to the value of another asset - often the USD. In order to control supply and demand to keep pegged to the USD, Beanstalk created a novel mechanism by which you can buy their token, Beans, and stake those Beans in order to yield a return. While the value of a Bean remains stable at 1 Bean = 1 USD, the staking process benefits the holders of Beans while being the mechanism that keeps the value of Beans stable. Yes, the mechanics behind this process are far from simple, but the performance of Bean provides substantial evidence the mechanics are sound.

So far so good? So what went wrong? Like so many Web3 projects, Beanstalk is a DAO (Decentralized Autonomous Organization). Remember my idealized description of a company that issues a single share class with equal voting rights? In the case of Beanstalk, if you held Beans, you could deposit those Beans into the Silo (yes, Beanstalk uses farming metaphors to gamify the complicated economics behind their stablecoin). Depositing your Beans into the Silo gives you Stalk, the governance token of the Beanstalk DAO. This Stalk token gives you voting rights in the DAO. With voting rights, you can vote on proposals and even submit proposals as long as you possess more than 0.1% stake in Beanstalk.

For the most part, Beanstalk’s governance was relatively simple as defined in Section 6.5 of their whitepaper. Important proposals were submitted as BIPs, Beanstalk Improvement Proposals. Nothing looks out of the ordinary except for one use case - the supermajority. By design, 24 hours after the submission of a BIP, a supermajority - more than two thirds vote - triggers the BIP to pass and can be committed to the Ethereum mainnet with no oversight. While the governance structure of Beanstalk was relatively simple, these BIPs could be very complex. The BIPs follow the EIP-2535 standard which uses a diamond analogy to describe a methodology for modifying smart contracts over time after initial deployment. That summary is a gross oversimplification as EIP-2535 is, by no means, simple.

From the Beanstalk whitepaper, this excerpt defines the "emergency commit" scenario.
From the Beanstalk whitepaper, this excerpt defines the "emergency commit" scenario.

What happened next? This article goes into great technical detail, and I highly recommend a read. The attack is very complex - and yet elegant - from an understanding of both EIP-2535 and Beanstalk’s governance model. Since the above article covered the technical details so well, I’ll stick to a brief summary of events:

  • The “exploiter” submits BIP-18 and BIP-19
  • 24 hours later, the “exploiter” takes out a $1B flash loan through Aave to amass Beans
  • Liquidity Pool Beans generated more voting power enabling the “exploiter” to amass a supermajority of voting power by targeting Uniswap and Curve LP tokens
  • The “exploiter” now having a supermajority of votes can execute BIP-18 and BIP-19
  • BIP-18 leverages the CREATE2 function within the EIP-2535 framework to execute a smart contract that was not a part of either BIP-18 nor BIP-19
  • The “exploiter” smart contract transfers 24,830 WETH to a wallet under their control worth ~$76M USD and returns assets to Aave to close out the flash loan

I’m sure you’re thinking, “how could they not see this coming? Didn’t someone look into their security?” Funny you should mention that - they did. Omniscia performed a security audit for Beanstalk. Did Omniscia flag this potential governance weakness? NO. Is that Omniscia’s fault? Well, maybe not. It’s clear from Beanstalk’s whitepaper that the priority for Beanstalk governance was speed - being able to react quickly and deploy proposals with as little delay as possible. The “emergency commit” function enabled by a supermajority vote, in itself, was not enough to enable this “governance hack”. The exploiter still had to be able to accrue more than 67% of votes. Remember our earlier discussion about hostile takeovers? No one, not even Elon can simply buy all the shares of a company. Why? For the simple reason that someone has to want to sell their shares. How many people are actively submitting sell orders at any one time? In the case of Beanstalk, their governance analytics indicates an increase in Bean acquisition through liquidity pools in mid March with a much larger increase in this acquisition in early April. What does this mean? Was this a warning sign? Was the “exploiter” already strengthening their Beanstalk governance position in preparation for submitting BIP-18 and BIP-19? In the case of a corporate hostile takeovers, accumulating large stakes would require disclosure to the SEC - just as Elon had to do when acquiring his initial stake in Twitter. But in Web3, who’s acquiring these stakes? An individual? A group? All the above?

While it’s easy to criticize Beanstalk, they did so many of the right things. They published a very thoughtful and detailed white paper. They published their security audit on their site (which has now been removed but is still available through Omniscia). And someone used it all against them. Beanstalk is currently in the midst of rebuilding their treasury as they deeply believe in their stablecoin model. As for governance, there is much to be learned. By design, Beanstalk’s governance model enabled a supermajority to act unilaterally with no oversight - except I’m sure they never expected a supermajority to represent a single exploiter. Yet, these are the perils of DAOs and the current state of decentralization. A wallet is not a single address, but a set of addresses. You can also install a different wallet in different browsers. Or what happens when you start running VMs on your machine to install even more wallets. Just how many wallet addresses can you create? How many do you need? There’s nothing stopping someone from cornering the voting rights of a DAO by joining with a large enough set of wallet addresses - and there would be no way to trace all those addresses to a single individual. Corporate governance was - emphasis on was - created to prevent these exploits. No one can anonymously, not even Elon, buy enough voting rights of a public company to simply vote to drain the treasury into their pocket. I believe strongly in DAOs and their ability to provide merit-based organizations where everyone has a voice in the direction of the organization. But I also believe in rules and regulations. Let’s learn from both worlds - what does corporate governance get right and how can we apply that to make DAOs even better?

In a word? Oversight. The Beanstalk governance model allowed a single entity to submit proposals, accrue a supermajority of votes, and then deploy the proposals unilaterally. In this system, if the proposer can sway a vote in their favor, they have unilateral authority to deploy the proposal. What if they proposer had simply approached DAO members with large votings stakes promising a share of the profits if they voted yes? Beanstalk is still a relatively small organization, where a majority of votes can be reached rather quickly. If the required amount of votes is secured, the proposer has the authority to commit the proposal. The only mechanism to stop the commit would be another BIP to “pause” Beanstalk. But then, someone could submit another BIP to “unpause” Beanstalk. What would happen in this race? Who would win?

On September 26, 1983, Soviet early-warning detection systems triggered alerts that the United States had launched nuclear ICMBs directed at the Soviet Union. By protocol, the response to launch detection was an immediate and compulsory counterattack. But that didn’t happen. Did systems fail? No. The reason was Stanislav Petrov. Petrov, based on his interpretation of the detection and his training on nuclear warfare believed the supposed launch that had been detected made no sense. In addition, the detection system had been prone to errors in the past. Thus he made a decision - he NEGLECTED his duty to notify superiors to automatically trigger the counterattack. The result? The detection system WAS IN ERROR. There was NO launch. His decision to block the protocol saved the world from nuclear war. What would have happened had this scenario been controlled with a smart contract with no one to question its execution? Should a DAO execute decisions truly autonomously? Was is the cost of “speed to commit” decisions? Perhaps this is more speed than we can afford.

Arweave TX
3SrUwMkmCU37v1R1zxlfPnG4201XzZGYLnnv1ouxz_I
Ethereum Address
0x1588eA0898FA86BD8587029A311D86fA29909876
Content Digest
xSu1ssilKkKQocyHABHrs5CWATwJN89EwqQ1fGkeT94