[Temp Check] Enable CANCEL role on the DAO

Today Nick introduced veto.ensdao.eth, based on governance attacks researched by me and @alextnetto.eth . This introduces a delegate who has been delegated 3.8M of voting power, which are tokens that belong to ENSLabs and Individuals associated with it. These tokens have been delegated to a contract that can only vote NO on proposals.

This has been created due to a governance attack we have recently uncovered: for over a year, since march 14 of last year the DAO’s total delegated market cap (the total value of all tokens eligible to vote) has been below the total value of the assets it holds. This means that if any sufficiently large whale was able to buy about $83M USD (which given that there were over 10M ENS on exchanges, could be done over the counter so as not to move the price significantly) in ENS tokens, it could delegate it to itself and then add a new proposal to appropriate $137M in ETH and USDC that the DAO holds. Because tokens that aren’t delegated aren’t eligible to vote, and because the DAO uses a snapshot system, the minute they made the proposal there would nothing that could be done anymore: even if every single delegated voted against it, the proposal would pass and the attacker would profit $54M in assets (even if the ENS price went to 0 immediately). It seems Pi Day is the DAO achilles heel.

Screenshot 2024-04-12 at 4.05.38 PM1536×728 104 KB

This isn’t a theoretical attack: in fact it’s a well documented attack that has been repeatedly been done on DAOs, including Aragon, Rook, Invictus, Rome, Temple, Fe. There are some well funded groups who call themselves the “vultures of crypto” and “Free Value Raiders”, and justify because they believe “It’s the market’s way of telling that company or project, ‘We don’t think you are being a proper steward of those assets.’”

This is not our case, the market cap of ENS tokens is over USD$400M, much higher than the total assets it controls, but because only a small percentage of these tokens were used for governance, then it was susceptible to such attacks. The Veto function changes that, by delegating another 3.8 M previously undelegated tokens and therefore increasing the Delegated Market Cap. In the future, when the Multidelegate contract is ready we will open a conversation on the proper way to delegate the 10M ENS that are on the DAO wallet itself.

The CANCEL function

With the recent change the Delegated Market Cap is now above the total assets. This however is not a 100% guarantee. ENS and ETH are volatile assets (not necessarily correlated), and not all of delegates vote on all elections so the actual votes required have a practical majority is lower than that.

However when a vote passes, it’s not immediately executed but rather it’s time locked for 48h and it can be cancelled during that time. However currently the only entity that can call the cancel function is the DAO itself, but that would also require a DAO vote and a time lock, meaning it’s of no practical usage.

We therefore propose an executable proposal that would grant the role of Canceller to a multisig, controlled by the same people that currently hold the Veto power. This would be a multisig of at least 2 accounts. We take this very seriously and understand that once this multisig has such power it’s hard to reverse it since they can veto any attempt to remove it. In order to have a balance of power the members would sign a pledge to only use the cancel power in an event of an attack or to protect the spirit of the constitution and we are open to discussion on any other measures that can be enacted.

Other preventive measures to protect from the attack

The profitability of such attack is simply calculated by the amount of total assets in the DAO / (amount of delegated tokens * price of ENS tokens). So any attempt to improve the situation would have to change one of the factors:

• Assets: The DAO should consider ways to protect the Endowment from any single transaction that takes over. This isn’t as simple as it appears.
• Delegated tokens: the Metagovernance group has been considering ways to improve the amount of active delegates and will continue to propose new methods of both direct ENS distribution and ENS delegation.
• Token price: while the DAO’s responsibility is to the ENS system and not the token, it would be healthy if there were ways in which the value of ENS was more tied to the amount of values in it’s management and the present and future revenue of the name system.

I thank @alextnetto.eth for the research, @nick.eth for the prompt reply making the veto.ensdao.eth a reality and for all the metagov stewards.

Has there ever been any discussion regarding introducing and testing a new governance token, one in which has a built in expiry and or becomes soul bound to certain key wallets.

Essentially I have never understood how or why “responsibility” or “governance” can be bought and traded, especially within a public good organisation. It’s almost an oxymoron.

This sounds like a very positive option.

On another note, will there be more frequent or active campaigns to onboard new Delegates and or wide spread education upon DAO matters? It seems to me that the majority of people who really understand the fundamentals of ENS and the constitution rarely use 𝕏 as a method of community learning.

Thanks for the elaborate explaination and the suggestion @AvsA. In addition to signing a pledge, here are some suggestions which will help with balancing power:

a. The multi-sig members could be asked to stake ENS in a separate escrow contract which can be called using a DAO vote to slash & send staked tokens back to the treasury in the event misuse.

b. Introduce term limits & implement a rotation system where multi-sig members are periodically replaced to prevent centralization of power.

c. Draft legal agreements or contracts outlining the obligations and liabilities of multi-sig members. These agreements can specify the scope of their authority, mechanisms for dispute resolution, & consequences for abuse of power

While I do not have enough experience or understanding to speak authoritatively on this matter, I am regularly concerned about centralization. I believe that maintaining decentralization standards, like the recent transfer of the ENS root key to the DAO, is crucial for creating a robust and resilient governance environment.

I deeply respect the research and effort that went into developing the solution outlined in this temp-check regarding the Enable Cancel role on the DAO, albeit transitory and relatively centralized. That is why I believe it is worthwhile to begin considering decentralized solutions in the interim and encouraging open research on them as well.

Hey @AvsA, great job identifying this issue, and the mitigation you’ve put in place makes sense as a stop gap.

One thing I’ll add: because the ENS Governor has a 1-block proposal delay, this attack is even easier to carry out, because the attacker could acquire the tokens, submit the proposal, cast their vote one block later, and immediately sell the tokens. They would face no economic skin in the game from a drop in ENS price that would occur once the malicious proposal became known. I have previously spoken about this risk in particular at MetaGov Working Group meetings (minutes).

As you identified, the longer term solutions are to get more people to delegate and better align the value of the token to the value of the treasury. One way to do both of these at the same time is to offer rewards from the DAO’s revenue/treasury to those who delegate through a staking system. Uniswap is in the process of rolling out something that does exactly this, called UniStaker (docs).

Disclosure: my company, ScopeLift, built the UniStaker contracts and is working with the Uniswap Foundation to see it deployed. Obviously we are biased, so you should take our opinions with a grain of salt. But I do feel like it’s a clean way to address both issues.

You’ll forgive me for the shameless self promotion here, but we’d be happy to discuss adapting the UniStaker system for the ENS DAO. I actually don’t think it would be too hard to do.

Regarding the cancellation approach: cancellation of proposals is not currently possible, because the ENS Governor does not expose a public cancel method, and (as previously mentioned), the proposal delay is only 1 block anyway, meaning there is no practical window in which cancellation could occur. For these reasons, in addition to considering a staking delegation system, the DAO should seriously consider a Governor upgrade sooner rather than later.

Again, you’ll forgive me the shameless plug here, but these kinds of sensitive Governor upgrades are one of ScopeLift’s areas of expertise, and we’d be happy to help in this regard.

(Also, for my two cents, I’m somewhat skeptical of giving unilateral veto power to a multisig, even with legal agreements in place. Given the liability risks involved, I wonder if you might struggle to find credible parties to be on that multisig. But I can see both sides of the argument as to why this could be helpful.)