Governance Security needs to become a trend before governance attacks do.

Governance attacks are happening—way too often

We’re watching governance attacks happen right in front of us—more often than anyone would like to admit. The worst part? Measures are usually reactionary. Emergency patches. Quick fixes. Or, worse, centralized responses to prevent entire treasuries from being drained. In some cases, the DAOs just vanish.

DAOs built great tech—but forgot to prepare for politics, economical conditions, arbitrageurs and hackers…

DAOs invested in contract audits, built impressive governors, and took care of the technical side. Look at Arbitrum DAO—arguably the gold standard of contract design today. Or Aragon with OSx and its modular approach. If we’re talking tooling, this stuff is art. The Mona Lisa of DAO infra.

But there are some things no audit can cover: politics, economical conditions and arbitrageurs. You can structure code, audit logic, and run tests. But governance lives in time. It lives in people. And that makes it messy.

DAOs with weak institutions and low participation are easy targets (and yeah, I get it—the DAO you're in probably has 12 voters and 3 of them are whales. That’s exactly why I'm here). Even well-designed systems can be gamed. Political power moves often exploit institutional gaps or an overreliance on democratic norms—just like the 1973 Chilean coup, and many others.

When governance underestimates antidemocratic actors, market conditions, behavior that are not addressed on some governance implementations or concentrates power without checks, collapse becomes a matter of when, not if.

Some governors are secure, but their implementation doesn't address malicious behavior, they just address malicious code.

“What if the next big attack already started?” – blockful team, 2025

Same story in DAOs. It didn’t take much imagination to guess what could’ve happened at ENS or Compound not long ago. Compound has audits. Sure. But who foresaw Humpy and the Golden Boys taking control of a treasury? Who saw a whale slowly accumulating ENS tokens to submit a proposal that could drain its entire $150M liquid treasury?

And here’s the kicker: it’s not even illegal. It’s just a strategy. It’s “playing by the rules.” From the attacker’s point of view, it’s an investment. As Jeff Dorman, CIO at Arca, put it: “Simply lining up soldiers doesn’t mean an attack.” But in DAOs, sometimes that’s all it takes. The setup is the strategy. Capital gets quietly positioned, voting power is accumulated over time, and when the moment is right—execution looks just like governance. Nothing illegal. Just a calculated move, made within the rules.

When a treasury drain is just a vote away

But DAOs don’t want to lose their ecosystems. Say a few large Arbitrum delegates collude to pass high-budget proposals. Then more. Then more. The Security Council wouldn’t catch this—nor should they. On Tally, it’s just another funding proposal. But a pattern of unchecked approvals can gradually concentrate value and influence, weakening the DAO over time without triggering any formal alarms. But it could still be a slow, silent rug.

The result?

• Builders on this DAO can lose access to the treasury they counted on to build good stuff

• Delegates with outsized influence can now veto anything

• Uncertainty grows, resilience drops, credibility collapses

• Builders and capital move elsewhere

Turning governance risks into math

After we uncovered this attack vector in ENS, we shifted the whole team to focus on governance security – for real, we blinked and the whole company pivoted—thankfully, we’re all governerds so we kinda loved it.

The logic was simple: problems this deep need standards. Without a repeatable method, fixes become ad hoc. Some gaps get plugged, others remain wide open. So we built one ourselves: a structure to detect threats before they happen.

We studied over 30 DAO attacks—looking at what they had in common, which signals appeared beforehand, and what structural weaknesses turned risk into reality. Patterns started to emerge. From there, we built a set of criteria that could turn hindsight into foresight. That became the anticapture framework. No one had defined a standard for governance security. So we did.

It evaluates how exposed a DAO is to governance takeovers. We broke past attacks into data points, binary logic—0s and 1s. From that, we calculate actual risk. Some of the key indicators we analyze:

• Cost of attack (how much does it cost to rug this DAO and fly to the Bahamas?)

• Delegation rate (aka how many people actually bothered to delegate something)

• Circulating supply (how much is out there pretending to be decentralized)

• Delegated supply (how much power is actually in play, not just vibing in wallets)

• DEX/CEX concentration (centralized exchanges holding your “decentralized” governance, lol)

• Voting mutability (can rules be changed mid-game?)

• DNS security (because losing your domain to a phishing link is sooo 2005)

• Active supply (how much is actually moving, voting, and doing things—not just ghost-holding the token)

...and more.

Individually, each one matters. Combined, they expose hidden vulnerabilities. We don't just show metrics. We cross-analyze and offer countermeasures (sounds powerful, right?).

With ENS, the solution was clear: if attack profitability is too high, create a Security Council. Done. That one move can keep the DAO safe for two years—enough time to plan for a secure, decentralized future without relying on the Security Council.

This isn't a new problem—just a new format

Staying secure and decentralized is one of the hardest things. History shows us how fragile that balance is. Think about the Delian League in 478 BCE—Greek city-states forming an alliance against Persia. Shared governance, mutual defense. But over time, Athens centralized control, redirected funds, and imposed its will. Decentralization eroded. Eventually, it led to the Peloponnesian War.

Also Hostile takeovers in traditional markets tell a similar story—companies slowly or suddenly losing control through mechanisms that are technically legal but strategically predatory. The same logic applies to DAOs: governance tools can be used as weapons. And just like in those corporate cases, the damage is often done before anyone realizes what’s happening.

Now we’re tokenizing governance. And just like that, we’re also replicating the same old power problems—but onchain.

Still, there’s a reason we’re here: to change how the story ends.

DAO security stages

If you’re in DAOs, chances are you know L2Beat. They’re a public goods team that gave us decentralization stages for L2s. That changed everything. Suddenly, L2s wanted to “pass the test.” To be seen as legit. L2Beat didn’t just measure; they defined.

So we’re doing the same for governance security.

Anticapture stages:

• Stage 0 – the DAO is in serious trouble

• Stage 1 – basic security tools exist, but decentralization is lacking

• Stage 2 – security measures are active, and the DAO shows strong resistance to capture — but decentralization is still a moving target

Here’s the scary part: no DAO has hit Stage 2 yet. As far as we analyzed. If you disagree, feel free to take it up with our research team—I’ll gladly send you their handles.

We built a dashboard based on these stages, plus the anticapture indicators. It's not a theory anymore. It’s working.

This is about survival, not prestige

This is about long-term survival. Over $400M has been lost in governance attacks already. Seems low? That’s the problem. Feels manageable. Feels like something you can deal with later. Until it’s not.

That’s normalcy bias at work—the tendency to assume things will keep functioning as they are, even when warning signs are clear. And DAOs, like systems before them, are especially vulnerable when they mistake silence for safety.

Anticapture exists to give DAOs the clarity they need to stay safe—before it’s too late. It brings together contract data, governance mechanics, and social dynamics in one place, making power structures and risks visible.

DAOs were created to operate without gatekeepers, but that only works if their systems are resilient. Longevity requires more than good intentions or strong ideals—it needs tooling that understands how real attacks happen and how to stop them.

This is the groundwork for a new standard in governance security. One that helps DAOs stay decentralized, democratic, and defensible.

Standards are what transform reactive responses into shared, preventative practice.

Without them, every DAO reinvents its own defense—often too late. While governance failures in traditional companies might take years to unfold, in web3 they can happen in a single block. One vote, one transaction, and the damage is done. Security isn’t an option—it’s a must.

What's next?

ENS, Uniswap, and Optimism are already integrated into the anticapture dashboard to better understand their governance exposure and reinforce their defenses. Each integration is preceded by a full research process to ensure that the analysis reflects the DAO’s structure, token dynamics, and potential vulnerabilities. Now they have a clearer view of their governance risks.

It’s been a year of research, iteration, and a lot of ground work—and there’s still a long way to go. The product is evolving week by week. There are no shortcuts here. Building meaningful governance infrastructure takes time, and that’s exactly the kind of work this is.

If you're a delegate, contributor, or foundation representative interested in making sure a DAO is secure or collaborating or sharing insights, feel free to reach out. We welcome thoughtful contributions and connections from those working on—or affected by—governance systems. You can follow our work, give feedback, or start a conversation through our open channels.