Special thanks to Avsa, Spence, Guiriba, Zeugh and Danimim for discussion and review throughout the whole process.

“Security is always excessive until it’s not enough.” — Robbie Sinclair

It's widely recognized that ENS is vital as the backbone of decentralized identity and enhanced UX on Ethereum. It's one of the most impactful and sustainable organizations while also strongly funding public goods.

Given ENS's critical role in the ecosystem, ensuring its security and stability is paramount. However, even such foundational protocols are not immune to vulnerabilities. In March of 2024, we uncovered a critical vulnerability in ENS DAO's governance that could have led to a ~$150M theft and protocol capture. This wasn't just a theoretical risk—similar attacks have already crippled other DAOs.

While often touted as fair, the '1 token, 1 vote' model tends to concentrate power based on wealth. In many DAOs, the top 15 holders usually control over ~50% of voting power, creating an oligarchic structure rather than a decentralized one. Low participation rates further compound this issue, making hostile takeovers dangerously easy.

An investor who can measure the average participation percentage and the quorum needed to approve a proposal can buy the necessary amount of tokens (that being the most capital-inefficient option) on the secondary market and pass a proposal that only benefits himself - capturing it and bringing it to its end.

With the Security Council, ENS is protected from this risk, giving time to the DAO to improve delegation and security healthily. Now, let's explore the research and collaborative work that led to this security enhancement.

Why capture a DAO?

The motivation for attacking a DAO is obvious: to make money. However, more motives or ways exist to extract value from the capture.

Gradual value extraction (slow rug)

The attacker doesn't steal the treasury from DAOs but gains the power to manipulate organizations in his favor. It's a vampirizing strategy that aims to keep the protocol and DAO living while extracting profits for months/years. It demands a deep analysis and planning from the attacker; it's an attack that considers the mid-term success for being profitable but doesn't align with long-term values.

Metaprotocol attack

Well-known examples of such cases can be found in projects using veNomics, such as Curve and Convex or Balancer and Aura. Today, the duos have synergies, but the main idea was to carry out vampire attacks on dominant projects in their respective sectors.

Competitive takeover

In traditional markets, firms compete for market share through marketing, customer acquisition, legal actions, and patents (sounds familiar, huh?). In the DAO ecosystem, this competition can be far more aggressive and direct. The governance mechanisms of DAOs, relying on code and market conditions, create unique vulnerabilities.

Attackers can exploit governance systems to seize control of competing protocols, often anonymously. This makes traditional legal recourse challenging, if not impossible. The result? A swift, potentially irreversible loss of market share for the targeted DAO.

Direct treasury raid

When a DAO's non-governance token treasury exceeds the value of all delegated tokens, it's a more straightforward and immediate profit opportunity.

ENS was highly exposed to this type of attack, which was the most concerning and obvious attack. Let's expand on that.

Past cases

To ground our research in practical reality, let's examine a few notable incidents that illustrate the vulnerabilities we've discussed.

These case studies provide concrete examples of how theoretical attack vectors have been exploited in practice, offering valuable insights into the real-world risks faced by DAOs and the importance of robust security measures.

Case study: Compound - Gradual value extraction attack

Looking at the attack on Compound, we realize that the pessimistic scenario is more real than it seems. Humpy, a famous attacker whale, bought 682K COMP (6% of token supply, ~U$34M at the time) to pass a proposal that would give them more 5% of the token supply as voting power, effectively capturing the organization.

Only 56.36% of the delegated votes were used in the vote that captured Compound, taking into account the attacker's tokens.

The proposal ended up not being executed, here is an analysis we did while the attack was happening to support the Compound community.

Similar cases were done by the same attacker: Balancer, Sushi, Cream finance, Badger DAO.

Case study: Aragon - Direct treasury raid attack

The RFV (risk-free value) raiders, a group that attacked several DAOs and was even backed by a hedge fund named Arca, attacked Aragon.

Simply lining up soldiers doesn’t mean an attack’ — Jeff Dorman, Arca

Passing a proposal to split the treasury among token holders. At the first moment, the Aragon Association (AA, the Swiss non-profit behind the project) vetoed the proposal, but after some months and a lot of pressure, they decided to split 86% of the treasury (86k ETH). Not satisfied, Aragon DAO members threatened AA with a lawsuit.

‘Their goal is to target treasuries and manipulate the price of tokens for financial gain, at the expense of the organisation’s mission’ — The Aragon Association

Similar cases were done by the same attacker: Gnosis, Hector Network, Tribe (FEI), Rook

Cryptoeconomic analysis

The following chart illustrates the relationship between ENS DAO's total assets (excluding the native governance token) and the value of delegated ENS tokens over time:

Key observations:

1. Treasury Value Exceeds Delegated Tokens: Since March 2023, the value of ENS DAO's treasury (excluding the native governance token) has consistently surpassed the total value of delegated ENS tokens. This imbalance creates a potential incentive for attackers.

2. Significant Exposure: At its peak, the disparity reached nearly 3x, meaning the treasury was worth almost three times the value of all delegated governance tokens. This scenario presents a highly attractive target for potential attackers.

3. Price Volatility Impact: The substantial fluctuations in the delegation value were primarily driven by ENS token price volatility rather than changes in delegation patterns.

4. Insufficient Safeguards: Even significant initiatives like the introduction of veto.ensdao.eth, which doubled the number of delegated tokens overnight, was not enough to fully mitigate this economic imbalance.

This gap didn't change if analyzing the current state. For exposing the state of ENS governance without the research and action towards security, the chart and statements below aren't considering veto.ensdao.eth neither securitycouncil.eth, which are outcomes from this research.

Liquid treasury here means assets that are not ENS, the governance token, since if it is attacked, its value will decrease, and it's not profitable to attack the DAO (considering a direct treasury raid). ENS DAO today holds ~$120mi in USDC, ETH, and DeFi positions that are managed by Karpatkey.

Delegated cap is the value of all the delegated tokens. This means that the DAO has $65mi in "organic" delegation protecting the treasury, considering all delegated tokens engaging in the votes, which is unrealistic.

Average quorum is a more reasonable metric to understand an aproximate cost of passing a proposal. Which currently is around 1.4m ENS, therefore ~$24mi protecting the DAO.

Other mechanisms for lowering the cost of the attack must be considered since all you need is delegation and not the token itself.

• A campaign could be run, giving a high APY for token holders delegating for an address. It is a no-brainer since, at first moment, it looks like a low-risk operation for yield. This is explored a lot in veNomics and DeFi, where you have bribe markets and similar mechanisms.

• Borrowing tokens is also an interesting instrument since the attacker has less skin in the game or can even use it as a short position.

• CEXs also allow you to short the token on the futures market and leverage, lowering the cost of attack.

• Proposal to split treasury with who votes yes. This one is the most dangerous, since delegation doesn't means economic skin on the game, this can create incentives enough to collude with the attacker.

Unknown whales are a huge risk and it's not something theoretical. This address has been buying ENS for more than 450 days, now surpassing 2M ENS, passing the quorum alone by 600k, and being probably only one of the wallets it controls.

Governance implementation

The security of a DAO is heavily dependent on the specific details of its governance implementation. In ENS's case, two critical aspects of the implementation significantly increased its vulnerability to attacks:

Minimal Proposal-to-Voting Delay

• The delay between proposing and the start of voting is only 2 blocks.

• This brief interval provides the snapshot for determining the voting power of delegates.

• Such a short delay leaves little to no time for the community to react to potentially malicious proposals.

• Attackers can sell their governance tokens immediately after voting, minimizing potential losses as the malicious proposal's information hasn't yet spread widely.

Ineffective Cancellation Mechanism

• The existing structure lacked an efficient way to cancel malicious proposals in the timelock.

• Any attempt to cancel would always lag behind the execution of a malicious proposal.

• This effectively meant that once a malicious proposal was set in motion, it was nearly impossible to stop through existing governance mechanisms.

These implementation details created a perfect storm of vulnerability, making ENS an attractive target for potential attackers. They underscore the importance of carefully considering every aspect of governance implementation, as even small details can have significant security implications.

Taking action

After completing our initial research and confirming the attack's feasibility, we promptly disclosed our findings to the Metagov stewards and Nick. Our primary goal was to create an emergency protection mechanism for the ENS DAO.

Short-term solution

ENS Labs acted swiftly to implement an immediate safeguard:

• Contributors delegated 4.18M tokens to a contract created by Nick

• This contract acts like a 1/5 multisig setup to only vote "Against" on harmful proposals

• As mentioned in the cryptoeconomic analysis, this was not enough to fully mitigate this economic imbalance, but created a higher barrier.

Developing a mid-term solution

While the short-term solution provided immediate protection, we worked in parallel on a more sustainable safeguard: the Security Council. This mid-term solution doesn't rely on economic conditions to protect ENS DAO's governance.

After extensive discussions and research, we designed an implementation with key features:

• An intermediary contract limiting the council's power to veto only

• A two-year expiration to prevent permanent centralization

• Council composition based on jurisdictional diversity, economic and reputational stake, and historical participation

Implementation process

1. A temp-check voting was submitted, which was approved unanimously, demonstrating the community's understanding of the initiative's importance.

2. Established the council multisig as a 4/8 multisig, with members approved by the ENS DAO.

3. Rigorously tested and reviewed the Security Council contract:

   • Audited by 4 external auditors we had previously worked with

   • Additional review by ENS DAO community members

4. Submitted the executable proposal with caution and extensive testing, as it granted the PROPOSAL_ROLE to a contract, enabling proposal and cancellation of timelock operations.

Operational considerations

We also conducted operational work to enhance the Security Council's effectiveness:

• Defined best practices for the council's operations

• Benchmarked and researched methods to maximize wallet security for the multisig

Next steps

A security council should not be a long-term solution, it's a tool for giving us time.

Participation is still far from ideal, and the number of delegates is at its lowest level since the DAO's inception.

We need to discuss ways of engaging more relevant industry members to participate in the ENS. Bringing in external forces can create a culture shock for the DAO, but it will also bring more diversity to the discussions.

Whether it's distributing incentives and/or delegations to active DAO members or onboarding blockchain groups specialized in governance, we need to discuss best practices to foster participation in the ENS DAO.

That way, we won't need to activate our protections: the delegates themselves will have the votes and proactivity to protect the DAO's treasury.

Conclusion

The economic conditions and governance implementation of ENS made a potential attack not only feasible but highly profitable, with potential returns of 3-5 times the investment.

The lack of easily accessible, coherent data about the treasury inadvertently served as a temporary shield, but it was only a matter of time before this information reached malicious actors.

Currently, there are unknown wallets holding token amounts exceeding the average quorum, positioning them among the largest token holders. This presents a critical decision point for the DAO: whether to continue exposing itself to the risk of these dormant whales suddenly becoming active in governance or to implement a proactive action plan.

The blockful team has been integrally involved throughout this process, from the initial identification of the vulnerability to the development and proposal for the creation of the Security Council. Our comprehensive approach included:

• Data analysis and study of past attacker behaviors.

• Smart contract research, implementation, and testing.

• Proposal coordination, crafting, and simulation.

• Legal research and benchmark of other security councils' good practices.

• Collaboration with meta-governance working group stewards, delegates, and the broader community.

• Managing all associated fees and costs for smart contract deployment and audits.

The Security Council was designed with several key features to balance security and decentralization.

These measures create a governance structure that is more resilient to capture by whale token holders and state actors while providing a crucial safeguard against potential attacks.

By implementing this solution, ENS has taken a significant step towards securing its future, setting a precedent for responsible and adaptive DAO governance in the face of evolving threats.

---

Follow blockful on X (Twitter) to support this kind of research*.*

Please consider delegating your governance tokens to gov.blockful.eth if you believe in a sustainable way of governance that approaches security, public goods, and DAOs longevity.

See ya in the mempool and forums!