A DAO governance attack is any manoeuvre that turns a decentralized organization's own decision-making machinery against it — capturing enough voting power, or exploiting the code that counts it, to pass a proposal the community never wanted, usually to drain the treasury. Because a DAO holds its funds in a public smart contract steered by a vote rather than by trusted officers, its governance is its attack surface: anyone who can acquire, borrow, or manufacture voting weight is a candidate attacker, and the contract executes the result without a referee. This page catalogs the recurring attack families with their landmark case studies, then the defenses that have become standard practice.
Why DAOs are uniquely exposed
Three properties that make DAOs attractive also make them fragile. Their treasuries are large and transparent — a would-be attacker can read the exact prize on-chain. Their control rule is mechanical — a proposal that clears the threshold executes automatically, with no board to say "this is obviously theft." And voting power is usually a liquid, purchasable token — the same tradability that bootstraps a community lets an outsider buy or rent influence on the open market. As a16z crypto puts it, a governance token is not just a coordination tool but "an attack vector" the moment its market price of control falls below the value it controls.
The attack taxonomy
Flash-loan vote seizure. The fastest attack borrows the voting power outright. In the April 2022 Beanstalk exploit, an attacker flash-borrowed more than $1 billion in stablecoins, converted it to a super-majority of Beanstalk's governance token, and used the protocol's emergencyCommit function to instantly pass a proposal (BIP-18) that transferred roughly $182 million of reserves to their own wallet — all inside a single transaction, netting about $76 million after repaying the loan (Halborn analysis). The enabling flaw was the absence of a meaningful execution delay: voting power that exists for one block should never be able to move funds in that same block.
Open-market or custodial token acquisition. A patient attacker simply buys control. When Justin Sun acquired Steemit in 2020, the community moved to freeze his stake; Sun allegedly used exchange-custodied user tokens from Binance, Huobi and Poloniex to out-vote the existing witnesses, and the community forked away to Hive in response. The 2024 Compound "Golden Boys" episode was a subtler variant: a group led by "Humpy" accumulated COMP on the open market and narrowly passed Proposal 289, directing 499,000 COMP (~$24 million) into a yield vault under their influence, over the objections of core delegates — before public pressure forced them to rescind it. It showed that a bare majority, lawfully acquired, can still be a capture.
Slow Sybil accumulation. The quietest attack spreads a growing position across many anonymous wallets that behave like ordinary holders, avoiding the alarm a single whale would trigger, until the aggregate crosses a decision threshold. It is hard to detect precisely because each account looks legitimate, and it targets the same weakness as a low-turnout raid: when most holders are apathetic, a modest coordinated minority can decide a vote.
Oracle manipulation feeding governance. In the October 2022 Mango Markets exploit, Avraham Eisenberg manipulated the price oracle for the MNGO token to drain roughly $117 million, then used the MNGO he still held to vote through a governance proposal letting him keep about $47 million as a "bug bounty" and seeking immunity — laundering a market exploit through the DAO's own ballot. (A jury convicted Eisenberg in 2024; a federal judge overturned the convictions in 2026, a reminder that the legal status of these attacks is still unsettled.)
Code exploits of the governance contract itself. The original cautionary tale is The DAO (2016): not a vote-capture at all but a reentrancy bug in the withdrawal logic that let an attacker recursively drain about 3.6 million ETH (~$60 million then), an event so large it split Ethereum into ETH and Ethereum Classic. It is the permanent reminder that the safest governance rule is still only as safe as the contract implementing it.
Defenses that became standard
No single control is sufficient; mature DAOs layer several, and the widely-used OpenZeppelin Governor framework ships most of them by default.
- Timelocks / execution delay. A mandatory delay between a vote passing and the action executing gives holders time to see a malicious proposal and react — the single control whose absence made Beanstalk possible.
- Voting-power snapshots. Counting each voter's weight as of a past block (the proposal's creation) rather than live means tokens borrowed after a proposal is filed carry no weight — the standard structural answer to flash-loan seizure.
- Proposal thresholds and quorum. Requiring a minimum stake to submit a proposal, and minimum participation for one to count, raises the cost of spam and low-turnout raids.
- Guardian vetoes and security councils. A trusted multisig or elected council that can cancel a clearly-malicious proposal within the timelock window — as Nouns and others use — trades a little decentralization for a circuit-breaker.
- Limiting governance scope. The most robust defense is architectural: if governance simply cannot express "transfer all reserves to this address," the most valuable attack has no proposal to ride. Restricting what a vote is allowed to do shrinks the attack surface more than any amount of vote-counting cleverness.
For a fuller academic treatment, see the 2025 survey on DAO governance attacks and defenses.
How Caper approaches this
A caper is built so that several of these defenses are structural rather than optional. Governance scope is bounded by construction: a proposal can only be a PAYOUT, INVEST, or VOTE action, so there is no "call this arbitrary contract and drain the vault" proposal to ride — the single most valuable attack simply cannot be expressed. Voting weight is the product of a member's stake and their earned, non-transferable participation tokens (minted one per vote and locked to the account), so a stack of governance tokens that just arrived — flash-borrowed or freshly bought — carries little to no weight until it has actually shown up over time, which capital cannot fake. Passing an executive proposal needs a ranked-choice super-majority, not a bare 50%, and execution only fires after a mandatory delay window following the vote's close. And because every member can always exit for their pro-rata share of the treasury, even a captured vote cannot seize the value other members are entitled to redeem. The exact mechanics are verified against the caper contract and described on the linked proposal and voting pages.