Hey @AvsA, great job identifying this issue, and the mitigation you’ve put in place makes sense as a stop gap.
One thing I’ll add: because the ENS Governor has a 1-block proposal delay, this attack is even easier to carry out, because the attacker could acquire the tokens, submit the proposal, cast their vote one block later, and immediately sell the tokens. They would face no economic skin in the game from a drop in ENS price that would occur once the malicious proposal became known. I have previously spoken about this risk in particular at MetaGov Working Group meetings (minutes).
As you identified, the longer term solutions are to get more people to delegate and better align the value of the token to the value of the treasury. One way to do both of these at the same time is to offer rewards from the DAO’s revenue/treasury to those who delegate through a staking system. Uniswap is in the process of rolling out something that does exactly this, called UniStaker (docs).
Disclosure: my company, ScopeLift, built the UniStaker contracts and is working with the Uniswap Foundation to see it deployed. Obviously we are biased, so you should take our opinions with a grain of salt. But I do feel like it’s a clean way to address both issues.
You’ll forgive me for the shameless self promotion here, but we’d be happy to discuss adapting the UniStaker system for the ENS DAO. I actually don’t think it would be too hard to do.
Regarding the cancellation approach: cancellation of proposals is not currently possible, because the ENS Governor does not expose a public cancel method, and (as previously mentioned), the proposal delay is only 1 block anyway, meaning there is no practical window in which cancellation could occur. For these reasons, in addition to considering a staking delegation system, the DAO should seriously consider a Governor upgrade sooner rather than later.
Again, you’ll forgive me the shameless plug here, but these kinds of sensitive Governor upgrades are one of ScopeLift’s areas of expertise, and we’d be happy to help in this regard.
(Also, for my two cents, I’m somewhat skeptical of giving unilateral veto power to a multisig, even with legal agreements in place. Given the liability risks involved, I wonder if you might struggle to find credible parties to be on that multisig. But I can see both sides of the argument as to why this could be helpful.)