SoK: Attacks on DAOs
Rainer Feichtinger, Robin Fritsch, Lioba Heimbach, Yann Vonlanthen, Roger Wattenhofer
TL;DR
This paper addresses security threats to DAO governance by introducing a four-vector taxonomy (BR, TC, HCI, CP) and applying it to 28 real-world incidents across multiple blockchains, complemented by audits and an empirical study of 26 DAOs. It reveals that governance attacks arise from both on-chain code and off-chain human/economic dynamics, with audits disproportionately focusing on CP vulnerabilities. The authors identify seven risk factors (RF1–RF7) and quantify susceptibility across a diverse set of DAOs, showing that smaller projects are often more exposed. Finally, the paper proposes a broad set of mitigations—from conservative implementation to authentication and privacy tools—to deter attacks and guide the development of more robust governance frameworks.
Abstract
Decentralized Autonomous Organizations (DAOs) are blockchain-based organizations that facilitate decentralized governance. Today, DAOs not only hold billions of dollars in their treasury but also govern many of the most popular Decentralized Finance (DeFi) protocols. This paper systematically analyses security threats to DAOs, focusing on the types of attacks they face. We study attacks on DAOs that took place in the past, attacks that have been theorized to be possible, and potential attacks that were uncovered and prevented in audits. For each of these (potential) attacks, we describe and categorize the attack vectors utilized into four categories. This reveals that while many attacks on DAOs take advantage of the less tangible and more complex human nature involved in governance, audits tend to focus on code and protocol vulnerabilities. Thus, additionally, the paper examines empirical data on DAO vulnerabilities, outlines risk factors contributing to these attacks, and suggests mitigation strategies to safeguard against such vulnerabilities.