Best Practices For Secure DeFi Governance

In simple terms, “governance” comprises the rules and procedures that control how decisions are made and implemented in an organization. DeFi protocols primarily rely on governance to allow members collectively decide on changes to the protocol. For instance, governance decisions may change the collateral ratio model in a lending protocol or adjust liquidity provider fees in a decentralized exchange (DEX).

DeFi governance may also extend beyond protocol upgrades into ordinary, day-to-day concerns like contributor compensation, grant allocations, human resource management, and more. The key point to note is that governance greatly influences how DeFi protocols are managed and operated and thus requires significant attention. 

Unlike traditional companies that concentrate authority in the hands of a select few, DeFi projects often distribute decision-making power to members of the community via governance tokens. Governance tokens empower holders to propose and ratify changes to a protocol. 

Web3 projects usually adopt on-chain governance (holders of the protocol’s governance token (UNI, COMP, SUSHI, etc.) vote for proposals on the blockchain) or off-chain governance (community members signal preferences off-chain using a tool like Snapshot). Hybrid governance balances the two by combining off-chain signaling with on-chain execution of proposals. 

A discussion of these governance mechanisms is out of scope, but you should at least understand the risks and benefits associated with whatever mechanism you choose. For example, on-chain governance is “trustless” (proposals are automatically executed once voting ends), but may attract low participation due to high transaction fees. Off-chain and hybrid governance are more cost-efficient, although decisions may either lack binding power or require trusting certain parties to (faithfully) execute decisions approved by the community. 

Governance is typically about making decisions. But governance in DeFi—specifically, decentralized governance—isn’t about making decisions alone but making decisions in a fair, transparent, open, and credibly neutral manner. 

Some of the benefits of decentralized governance include:

• Aligning incentives: By giving users, contributors, and investors opportunities to participate in the decision-making process, these parties become invested in the success of the protocol. 

• Reducing centralization risks: DeFi governance mechanisms adopt solutions to make governance processes open to all members and ensure governance power isn’t concentrated with a powerful minority (who may enact changes detrimental to the rest). 

• Improve accountability and informed decision-making: Governance gives members the power to hold individuals accountable for actions. Moreover, proposals pass through extensive deliberation by the community, allowing for decisions to reflect broader perspectives and insights. 

DeFi governance is serious business; flawed designs can have practical consequences, particularly the loss of funds to hostile governance takeovers. But DeFi governance is still evolving, and “definitive guides” on designing a secure governance protocol are few and far in between. 

This doesn’t mean developers cannot take steps to make Web3 governance more sustainable, robust, and secure. In subsequent paragraphs, we’ll go over some recommendations for safely implementing governance systems for DeFi protocols.  

We’ve previously described the risk that flash loan attacks pose to components of the DeFi ecosystem, especially price oracles; but they can also affect governance. If a project’s governance token can be borrowed on the market via a flash loan, anyone (including malicious actors) can amass enough voting power to force through a proposal. 

Hijacking DeFi governance mechanisms this way incurs zero risk as flash loans don’t require collateral (insofar as the loan is repaid with interest in the same block). This puts protocols at the risk of one type of governance attack where a hacker flash loans governance tokens and uses them to vote (and execute) a malicious proposal. 

The standard mitigative measure—adopted by top DeFi projects like Compound and Uniswap—is to calculate the voting power of an address at the previous block (instead of the current block). Since flash loans cannot execute outside of a single block, this strategy makes it difficult to quickly borrow governance tokens to swing votes.

Even in a decentralized system, some privileged roles with administrative powers may exist (primarily to aid efficiency and speed in decision-making). Hybrid governance systems, for example, usually rely on one or more parties to execute decisions ratified by the community off-chain. 

While these parties may be trusted to act according to the majority’s wishes, rogue executors are always a possibility. Thus it is important to limit administrative powers and implement secure access control systems to prevent a privileged minority from manipulating protocol governance by design or accident. 

In the aforementioned case (ie. trusted parties executing proposals on-chain), using a multisig wallet (eg. Gnosis Safe) can improve robustness and resilience of protocol governance. 

DeFi protocol Balancer makes for a good case study in this regard: 

• The approval threshold (6-of-11 signatures required for a quorum) improves the system’s resilience in the face of collusion or hacks involving signers 

• Signers are well-known members of the community and thus have an additional incentive (protecting their reputation) to act honestly

• Signers have limited powers and cannot, for example, stop individuals from withdrawing funds from liquidity pools in emergencies 

A timelock is a smart contract programmed to execute certain operations only if some predefined time has elapsed. Designating a timelock contract address as the “owner” of a governance module is a common pattern among DeFi projects. Under this arrangement, all proposals must go through the delay imposed by the timelock before execution. 

Timelocks protect users against hostile governance takeovers by providing a means of exiting the system before an unfavorable proposal is implemented. With governance tokens like UNI, COMP, and BAL trading freely on exchanges, wealthy groups and individuals (“whales”) can corner significant market share and boost voting power. Thus timelocks are key to preserving a key quality of DeFi governance, namely that no minority party can unilaterally force a decision on the rest. 

Implementing a timelock also protects against unforeseen scenarios, such as social engineering attacks targeted at addresses with special governance-related powers. Depending on the delay threshold, a timelock can give developers and security experts enough time to implement mitigating measures (like pausing core smart contracts) if attackers gain unauthorized access to administrative powers. 

On-chain governance systems rely on smart contracts, increasing their susceptibility to problems arising due to errors in code. This makes it imperative to run extensive tests and validate the correctness of governance logic before inviting the community to use it. MixBytes’ DAO Voting Vulnerabilities covers this topic exhaustively, but we’ll mention some relevant logic errors to watch out for:

• Double-voting: Ensure addresses cannot vote twice with the same token or transfer a token to another address and use it to vote on the same proposal 

• Incorrectly calculated voting weights: If addresses are allowed to re-vote during the voting period, the final distribution should reflect changes in a voter’s preferences

• Improper delegation: It shouldn’t be possible to delegate tokens to increase the voting weight of an address and then re-delegate tokens to another address within the voting period (after the previous address voted already) 

• Reentrancy: It should be impossible to reenter a voting function, otherwise a hacker can artificially boost votes for a particular proposal 

Note: Implementing precondition checks (using require statements in Solidity) can solve most problems identified above. 

Although creating a governance system from scratch is possible, reusing components from battle-tested governance frameworks is good for security. A custom governance system promises more flexibility, but it may introduce vulnerabilities. 

For context, popular governance frameworks like Aragon, Governor Bravo, X-DAO, and Colony benefit from years of development, testing, and auditing from the community. Using such tools is usually a good idea, especially if you want to simplify development and provide your community with stronger security guarantees.

Transparency improves the integrity of DeFi governance and guarantees the legitimacy of governance decisions. But transparency is also useful from a security perspective. Reducing opacity around protocol governance (a) reduces the risk of attackers exploiting information asymmetries to manipulate governance processes for personal benefit and (b) empowers the community to collectively secure the system. 

Documenting key aspects of your protocol’s governance is an ideal way to promote transparency and accountability. 

Here are some details to consider including when creating documentation for governance systems:

• Key governance components—governance contracts, multisig wallets, oracles, off-chain voting tooling, etc—and the interactions between those components 

• Privileged roles in the system (including their responsibilities and powers)

• Potential adversarial situations and preventive/mitigative measures 

• Governance-related workflows (delegations, proposals, voting, etc.)

• Information about governance processes that should be publicly available, such as voting periods, voting delays, proposal implementation timelines, and so on. 

For example, Uniswap’s documentation details various adversarial circumstances and possible mitigating measures. Similarly, stablecoin protocol Maker highlights “failure modes” that could negatively impact the protocol’s governance system. 

Perhaps the most important “best practice” is to have others independently review components of your project’s governance system. Audits, bug bounties, and vulnerability disclosure programs are avenues worth exploring if you need help with detecting and mitigating vulnerabilities in governance modules. 

Audits are even more important because auditors don’t merely focus on vulnerabilities in governance contracts. For instance, auditors may reason about complex game-theoretic attacks and flawed interactions between on- and off-chain systems that could put protocol governance at risk. 

Decentralized governance is critical to keeping DeFi projects responsive to the community’s wishes and long-term aligned with users/investors/contributors. It is, however, important to be pragmatic and design governance systems with a security-first mindset. 

We’ve covered different strategies for designing secure DeFi governance systems, including implementing anti-flash loan protections, using timelocks to delay proposal execution, and improving access controls. Documenting governance processes, integrating battle-tested governance frameworks, and validating correctness of governance logic can also prove invaluable to keeping governance protocols safe from exploits. 

Finally, consider getting an audit to assess the security of your governance system before launching it for public use. 

Get in touch with Halborn for additional help in designing secure DeFi governance systems.