[Temp Check] Enable CANCEL role on the DAO

Today Nick introduced veto.ensdao.eth, based on governance attacks researched by me and @alextnetto.eth . This introduces a delegate who has been delegated 3.8M of voting power, which are tokens that belong to ENSLabs and Individuals associated with it. These tokens have been delegated to a contract that can only vote NO on proposals.

This has been created due to a governance attack we have recently uncovered: for over a year, since march 14 of last year the DAO’s total delegated market cap (the total value of all tokens eligible to vote) has been below the total value of the assets it holds. This means that if any sufficiently large whale was able to buy about $83M USD (which given that there were over 10M ENS on exchanges, could be done over the counter so as not to move the price significantly) in ENS tokens, it could delegate it to itself and then add a new proposal to appropriate $137M in ETH and USDC that the DAO holds. Because tokens that aren’t delegated aren’t eligible to vote, and because the DAO uses a snapshot system, the minute they made the proposal there would nothing that could be done anymore: even if every single delegated voted against it, the proposal would pass and the attacker would profit $54M in assets (even if the ENS price went to 0 immediately). It seems Pi Day is the DAO achilles heel.

This isn’t a theoretical attack: in fact it’s a well documented attack that has been repeatedly been done on DAOs, including Aragon, Rook, Invictus, Rome, Temple, Fe. There are some well funded groups who call themselves the “vultures of crypto” and “Free Value Raiders”, and justify because they believe “It’s the market’s way of telling that company or project, ‘We don’t think you are being a proper steward of those assets.’”

This is not our case, the market cap of ENS tokens is over USD$400M, much higher than the total assets it controls, but because only a small percentage of these tokens were used for governance, then it was susceptible to such attacks. The Veto function changes that, by delegating another 3.8 M previously undelegated tokens and therefore increasing the Delegated Market Cap. In the future, when the Multidelegate contract is ready we will open a conversation on the proper way to delegate the 10M ENS that are on the DAO wallet itself.

The CANCEL function

With the recent change the Delegated Market Cap is now above the total assets. This however is not a 100% guarantee. ENS and ETH are volatile assets (not necessarily correlated), and not all of delegates vote on all elections so the actual votes required have a practical majority is lower than that.

However when a vote passes, it’s not immediately executed but rather it’s time locked for 48h and it can be cancelled during that time. However currently the only entity that can call the cancel function is the DAO itself, but that would also require a DAO vote and a time lock, meaning it’s of no practical usage.

We therefore propose an executable proposal that would grant the role of Canceller to a multisig, controlled by the same people that currently hold the Veto power. This would be a multisig of at least 2 accounts. We take this very seriously and understand that once this multisig has such power it’s hard to reverse it since they can veto any attempt to remove it. In order to have a balance of power the members would sign a pledge to only use the cancel power in an event of an attack or to protect the spirit of the constitution and we are open to discussion on any other measures that can be enacted.

Other preventive measures to protect from the attack

The profitability of such attack is simply calculated by the amount of total assets in the DAO / (amount of delegated tokens * price of ENS tokens). So any attempt to improve the situation would have to change one of the factors:

  • Assets: The DAO should consider ways to protect the Endowment from any single transaction that takes over. This isn’t as simple as it appears.
  • Delegated tokens: the Metagovernance group has been considering ways to improve the amount of active delegates and will continue to propose new methods of both direct ENS distribution and ENS delegation.
  • Token price: while the DAO’s responsibility is to the ENS system and not the token, it would be healthy if there were ways in which the value of ENS was more tied to the amount of values in it’s management and the present and future revenue of the name system.

I thank @alextnetto.eth for the research, @nick.eth for the prompt reply making the veto.ensdao.eth a reality and for all the metagov stewards.

14 Likes

Has there ever been any discussion regarding introducing and testing a new governance token, one in which has a built in expiry and or becomes soul bound to certain key wallets.

Essentially I have never understood how or why “responsibility” or “governance” can be bought and traded, especially within a public good organisation. It’s almost an oxymoron.

This sounds like a very positive option.

On another note, will there be more frequent or active campaigns to onboard new Delegates and or wide spread education upon DAO matters? It seems to me that the majority of people who really understand the fundamentals of ENS and the constitution rarely use 𝕏 as a method of community learning.

Thanks for the elaborate explaination and the suggestion @AvsA. In addition to signing a pledge, here are some suggestions which will help with balancing power:

a. The multi-sig members could be asked to stake ENS in a separate escrow contract which can be called using a DAO vote to slash & send staked tokens back to the treasury in the event misuse.

b. Introduce term limits & implement a rotation system where multi-sig members are periodically replaced to prevent centralization of power.

c. Draft legal agreements or contracts outlining the obligations and liabilities of multi-sig members. These agreements can specify the scope of their authority, mechanisms for dispute resolution, & consequences for abuse of power

1 Like

While I do not have enough experience or understanding to speak authoritatively on this matter, I am regularly concerned about centralization. I believe that maintaining decentralization standards, like the recent transfer of the ENS root key to the DAO, is crucial for creating a robust and resilient governance environment.

I deeply respect the research and effort that went into developing the solution outlined in this temp-check regarding the Enable Cancel role on the DAO, albeit transitory and relatively centralized. That is why I believe it is worthwhile to begin considering decentralized solutions in the interim and encouraging open research on them as well.

1 Like

Hey @AvsA, great job identifying this issue, and the mitigation you’ve put in place makes sense as a stop gap.

One thing I’ll add: because the ENS Governor has a 1-block proposal delay, this attack is even easier to carry out, because the attacker could acquire the tokens, submit the proposal, cast their vote one block later, and immediately sell the tokens. They would face no economic skin in the game from a drop in ENS price that would occur once the malicious proposal became known. I have previously spoken about this risk in particular at MetaGov Working Group meetings (minutes).

As you identified, the longer term solutions are to get more people to delegate and better align the value of the token to the value of the treasury. One way to do both of these at the same time is to offer rewards from the DAO’s revenue/treasury to those who delegate through a staking system. Uniswap is in the process of rolling out something that does exactly this, called UniStaker (docs).

Disclosure: my company, ScopeLift, built the UniStaker contracts and is working with the Uniswap Foundation to see it deployed. Obviously we are biased, so you should take our opinions with a grain of salt. But I do feel like it’s a clean way to address both issues.

You’ll forgive me for the shameless self promotion here, but we’d be happy to discuss adapting the UniStaker system for the ENS DAO. I actually don’t think it would be too hard to do.

Regarding the cancellation approach: cancellation of proposals is not currently possible, because the ENS Governor does not expose a public cancel method, and (as previously mentioned), the proposal delay is only 1 block anyway, meaning there is no practical window in which cancellation could occur. For these reasons, in addition to considering a staking delegation system, the DAO should seriously consider a Governor upgrade sooner rather than later.

Again, you’ll forgive me the shameless plug here, but these kinds of sensitive Governor upgrades are one of ScopeLift’s areas of expertise, and we’d be happy to help in this regard.

(Also, for my two cents, I’m somewhat skeptical of giving unilateral veto power to a multisig, even with legal agreements in place. Given the liability risks involved, I wonder if you might struggle to find credible parties to be on that multisig. But I can see both sides of the argument as to why this could be helpful.)

6 Likes

My concern with solutions like this is that there’s no way to incentivize effective governance participation. Incentivizing delegation will increase delegation rates, but not ensure those votes are actually used. And if you enforce that the rewards are only paid out if your delegate votes, people will develop bot solutions that always vote the same way on all proposals automatically.

Doesn’t cancellation occur on the timelock, between the vote succeeding and being executed? The DAO could elect a veto contract as a valid caller to that function.

4 Likes

Thank you @alextnetto.eth and @AvsA for coming up with this proposal, happy that it passed unanimously. Also thanks to @nick.eth for implementing the shorter-term veto.ensdao.eth solution.

As the snapshot points out, this is just a mid-term solution since it has a risk of perpetuating centralized power and reducing protocol legitimacy. The built-in expiration date of two years means we’ll need a longer-term solution by then.

I’m not a delegate, but adding my voice here to exercise some airdropped responsibility since this is a core issue for the long-term survival and success of ENS.

As @AvsA lays out, the treasury is vulnerable to attack when the total delegated market cap is below the total treasury value. Since the total delegated market cap is a product of both the ENS token price and number of tokens delegated, either input can cause the delegated market cap to drop below treasury value making an attack feasible. So as @bendi points out, any long-term solution needs to address both the ENS token price and number of delegated tokens.

To keep delegated numbers high, it seems like we’ll need to financially incentivize delegators in some form, even if we don’t get perfectly effective governance participation as Nick points out. I’m not sure how we can avoid incentivization since delegators will always have a competing financial yield that they can earn, due to composability.

For example, here’s the number of ENS tokens used as collateral in Aave v3. The spike after December coincides with the bull market. The ENS tokens deposited are presumably used as collateral to buy other tokens on leverage, competing with delegation.

Taking these points into account, the Unistaker approach seems like a promising one with good tradeoffs. One modification I’d suggest is to implement vote-escrowed tokens or veENS (as implemented by Curve & Yearn). With veENS, delegators can choose to lock up their tokens for a length of time to get proportionally greater voting power and a larger share of the incentives. This aligns long-term governance and does more to guard against treasury attacks.

Having said this, I’m curious to know if there are any alternative ways to incentivize delegators or achieve locked voting.

2 Likes

Tally has been closely monitoring this potential governance vulnerability at ENS along with similar vulnerabilities across the DAO ecosystem. We are excited about UniStaker as a primitive, but note that it’s important to consider token liquidity in any potential governance staking design. UniStaker itself does not solve the problem @dinesh.eth highlights of tokens used in DeFi competing with participation in governance. We also share @nick.eth’s concern that, while UniStaker incentivises delegation, it does not incentivise effective governance participation.

We advocate for implementing a UniStaker-like solution that incorporates staked token liquidity and a mechanism to incentivise effective governance by only paying out rewards to stakers who delegate to an effective (votes onchain AND adds value to the governance process) delegate. We’ve been thinking about this at Tally and would love to contribute to such a solution.

Good idea. It is important to encourage effective governance by distributing voting power to delegates who are ENS-aligned and active participants in the DAO. Otherwise, the DAO risks succumbing to botting and other Sybil-like attacks.

I recommend viewing participants’ historical voting activity and prioritizing delegations to those who have demonstrated meaningful participation. How we define ‘meaningful,’ however, is an open-ended question, and I further encourage active discussion on this.

1 Like