We categorize attacks on DAOs into four categories: (i) bribing (BR) attacks, (ii) token control (TC) attacks, (iii) human-computer interaction (HCI) attacks, and (iv) code and protocol vulnerability (CP) attacks.
In a bribing (BR) attack, an attacker pays to change votes or to acquire voting power without acquiring the underlying governance tokens. The controlled votes and voting power are then utilized to pass a malicious proposal in a governance vote.
Bribing Token Holders or Delegates (BR1)
Vote Buying Protocols (BR2)
With token control (TC) attacks, an attacker takes possession or is already in possession of a significant amount of governance tokens. The attacker then uses the voting power associated with these tokens to get their malicious proposal accepted in a governance vote.
Token Purchase (TC1)
Token Loan (TC2)
Flash Loan (TC3)
Whale Activation (TC4)
Majority Coalition (TC5)
Human-computer interaction (HCI) attacks aim to manipulate the voting process by exploiting user-facing interfaces and applications or human behaviors involved in the DAO's voting process.
User Interface Issues (HCI1)
Proposal Obfuscation (HCI2)
Proposal Spam (HCI3)
Social Infiltration (HCI4)
Behavioral Manipulations (HCI5)
Code and protocol vulnerability (CP) attacks exploit code or logic vulnerabilities, either in the governance smart contracts or the protocols they are connected to.
Code Vulnerability (CP1)
Protocol Vulnerability (CP2)