Today Nick introduced veto.ensdao.eth, based on governance attacks researched by me and @alextnetto.eth . This introduces a delegate who has been delegated 3.8M of voting power, which are tokens that belong to ENSLabs and Individuals associated with it. These tokens have been delegated to a contract that can only vote NO on proposals.
This has been created due to a governance attack we have recently uncovered: for over a year, since march 14 of last year the DAO’s total delegated market cap (the total value of all tokens eligible to vote) has been below the total value of the assets it holds. This means that if any sufficiently large whale was able to buy about $83M USD (which given that there were over 10M ENS on exchanges, could be done over the counter so as not to move the price significantly) in ENS tokens, it could delegate it to itself and then add a new proposal to appropriate $137M in ETH and USDC that the DAO holds. Because tokens that aren’t delegated aren’t eligible to vote, and because the DAO uses a snapshot system, the minute they made the proposal there would nothing that could be done anymore: even if every single delegated voted against it, the proposal would pass and the attacker would profit $54M in assets (even if the ENS price went to 0 immediately). It seems Pi Day is the DAO achilles heel.
This isn’t a theoretical attack: in fact it’s a well documented attack that has been repeatedly been done on DAOs, including Aragon, Rook, Invictus, Rome, Temple, Fe. There are some well funded groups who call themselves the “vultures of crypto” and “Free Value Raiders”, and justify because they believe “It’s the market’s way of telling that company or project, ‘We don’t think you are being a proper steward of those assets.’”
This is not our case, the market cap of ENS tokens is over USD$400M, much higher than the total assets it controls, but because only a small percentage of these tokens were used for governance, then it was susceptible to such attacks. The Veto function changes that, by delegating another 3.8 M previously undelegated tokens and therefore increasing the Delegated Market Cap. In the future, when the Multidelegate contract is ready we will open a conversation on the proper way to delegate the 10M ENS that are on the DAO wallet itself.
The CANCEL function
With the recent change the Delegated Market Cap is now above the total assets. This however is not a 100% guarantee. ENS and ETH are volatile assets (not necessarily correlated), and not all of delegates vote on all elections so the actual votes required have a practical majority is lower than that.
However when a vote passes, it’s not immediately executed but rather it’s time locked for 48h and it can be cancelled during that time. However currently the only entity that can call the cancel function is the DAO itself, but that would also require a DAO vote and a time lock, meaning it’s of no practical usage.
We therefore propose an executable proposal that would grant the role of Canceller to a multisig, controlled by the same people that currently hold the Veto power. This would be a multisig of at least 2 accounts. We take this very seriously and understand that once this multisig has such power it’s hard to reverse it since they can veto any attempt to remove it. In order to have a balance of power the members would sign a pledge to only use the cancel power in an event of an attack or to protect the spirit of the constitution and we are open to discussion on any other measures that can be enacted.
Other preventive measures to protect from the attack
The profitability of such attack is simply calculated by the amount of total assets in the DAO / (amount of delegated tokens * price of ENS tokens). So any attempt to improve the situation would have to change one of the factors:
- Assets: The DAO should consider ways to protect the Endowment from any single transaction that takes over. This isn’t as simple as it appears.
- Delegated tokens: the Metagovernance group has been considering ways to improve the amount of active delegates and will continue to propose new methods of both direct ENS distribution and ENS delegation.
- Token price: while the DAO’s responsibility is to the ENS system and not the token, it would be healthy if there were ways in which the value of ENS was more tied to the amount of values in it’s management and the present and future revenue of the name system.
I thank @alextnetto.eth for the research, @nick.eth for the prompt reply making the veto.ensdao.eth a reality and for all the metagov stewards.