The creation of DAOs is unique to web3 and leverages the power of blockchain in managing the protocol without going through a centralized entity.
DAO focuses on two aspects: encryption and distributed storage. This gives the community the ability to act on the collective decisions of her members.
Like the Web3 protocol, the DAO protocol also has security concerns.
The purpose of this article is to reveal the underlying infrastructure of DAOs and guidelines for improvising attack-resistant smart contract security.
Purpose of DAOs
Ethereum always holds the credit of being the first programmable blockchain of all time. By allowing developers to manipulate their code, it plays a big role in achieving true decentralization.
In that respect, DAO smart contract designed to grow On-chain governance It justifies the fact that the community operates purely on blockchain.
Like other smart contracts, DAO contracts are basically designed to automate processes and take actions when predefined conditions are met.
To illustrate with an example, consider an ERC-20 token contract. It will be created based on the ERC-20 standard with information such as contract address, token supply, token name, token transfer conditions, etc.
Token operations are performed when the configured rules are met. Similarly, DAO contracts are coded to dictate the organization’s work, such as determining funding allocations according to member voting proposals.
For example, DAO has finance built-in. Funds from these are used after group approval and no single authority has access to carry out the plan.
Voting proposals for making important decisions about the project ensure that all participants are heard, increasing trust and transparency of on-chain activities.
Each protocol has different governance over organizational activity, and how DAO coding is done is purely subjective. Therefore, it is important to pay attention to the administrative rights users have over the protocol before registering with DAO.
Steps required to set up a DAO smart contract
mechanism of On-chain governance It runs through a set of contracts (tokens, governors, timelocks). Let’s look at each role.
token: Tokens determine the voting power of participating community members On-chain governanceToken contracts verify balance and reclaim power, and allow participants to express their choices on governance proposals.
Governor: The governor agreement is coded with terms such as the assignment of powers to token holders, the types of tokens that are acceptable, and the number of votes required on the forum. However, developers can code the functional details of how the contract is executed.
In addition, the governor’s contract also includes details of ballot delays and ballot proposals in the code. This serves the purpose of giving instructions as to how long participants can vote on ballot proposals.
Time lock: Aspects of the timelock include AcessControl setup for proposed roles, performer roles, and administrator roles. By integrating the Timelock component with the governance system, participants are free to walk away if they disagree with the decision.
An overview of DAO security threats.
As DAOs rely on smart contracts, they are responsible for maintaining governance votes and finances. And each of these elements has its own security concerns. Let’s solve them below.
Security concerns in smart contracts
Let’s rewind a bit and recall the famous “Fall of the DAO”. The main cause was a bug in the DAO code. Hackers were able to exploit the vulnerability and drain funds from contracts. recursive call.
The contract contained 12.7M Ether, but hackers exploited a loophole in the contract to steal 3.6 million ETH.
This incident clearly demonstrates the need for more experience and experimentation with DAO security. While DAOs have been lauded for their innovation, the quality of the code has done more damage.
Additionally, smart contract coding should be completely transparent so that functionality does not become a bug later on.
Security concerns about governance
There are multiple ways for hackers to infiltrate the protocol’s governance. First, decentralized notifications are one way a hacker can introduce malicious suggestions that go unnoticed by other her DAO members, if he can block them.
The following is a proposal that calls for multicall transactions. If suggestions are not reviewed or audited by her DAO, attackers can use them to produce mixed results.
Incorrect thresholds and improper time locking can lead to inappropriate activity. Flash loans are another security concern for governance. Attackers can borrow large amounts of tokens to give them majority power to push through proposals.
Malicious suggestions raise serious security concerns for changes implemented in the protocol. AAVE and Compound have suffered from this type of hack in the past.
Runtime security concerns
MakerDAO, which launched on the Ethereum network in 2017, did well. Until the market crashed in 2020 when the price of Ether dropped to 50% of his. It is the most important collateral used on MakerDAO, and the price crash has caused a large amount of liquidity.
MakerDAO is not designed to handle large-scale liquidations that result in greater financial losses. The coding was strong here, but the downside was in the execution of the liquidation mechanism.
Since then, DAO mechanism execution has also been added to the list of other existing security issues.
DAO smart contract audit checklist
Security is a major aspect On-chain governance To prevent power from falling into the wrong hands. So let’s find some guidelines for developing robust DAO contracts from a security perspective.
Low level call: Calls to arbitrary contracts that fetch arbitrary data should be handled with caution.
Care should be taken when handling low-level calls, as they can open up potential re-entrance attack vectors. So it’s always a good idea to check the success condition of the call before processing the returned data.
Ethereum holdings: Audits show that ETH is often not properly addressed in governance-related agreements. So if the governance contract requires him to process ETH, he recommends securing a way to send ETH.
Another caveat is when using msg.value which allows batch calls. This pattern may not work.
Refrain from flash loan exploits: Flash loans are relied upon by bad actors who want to influence governance decisions and launch attacks. They take flash loans and secure governance votes through token holdings to manipulate governance decisions.
Therefore, measuring voting power in the current block can be avoided, as flash loans taken to gain governance power will jeopardize the system.
Regular updates: Even if your contract is not necessarily flawed, you should always check the market for governance tokens and adjust your thresholds accordingly. Otherwise, malicious actors can take over your decisions.
Pay attention to the details when migrating and upgrading your governance system. There have been cases like what happened with Uniswap. The move to Governor Bravo has initialized a contractual flaw that puts governance decisions on hold.
Including a delay using a timelock contract: Time-delayed actions allow the community to review protocol changes before they go into effect. These time delays can be implemented via the Timelock contract.
Protocol-related vulnerabilities: The software used to code the protocol works with specific business logic that differs from each other. The same goes for problems that occur when performing changes on that system.
As a matter of fact, the Compound protocol was in trouble as a manipulative community proposal was approved. Therefore, it is always good to have a thorough review of the code by peers or independent parties to ensure the strength and soundness of the contract.
QuillAudits Eminence in DAO Smart Contract Auditing
Today, many projects are coming up with embedded ways to make the system purely self-functioning. On-chain governanceAs such, the field is rapidly evolving and thriving in response to community needs.
Attacks are also becoming more complex, which is both challenging and costly. So you need to make sure your processes are in place and your code is strictly adhered to. quill audit We perform extensive research and code audits to eliminate potential pitfalls and protect your project from malicious activity.
29 view
0 Comments