A **Decentralized Autonomous Organization (DAO)** is a collective governed entirely by code and rules written on a smart contract. Decisions are made by token holders voting on proposals.
Imagine a country where there are no politicians, only voters, and every law change is proposed, voted on, and automatically executed by a non-stop, self-funding computer program (the smart contract). That is a DAO.
While DAOs solve the problem of central authority, they introduce new security flaws: **Governance Vulnerabilities**. If an attacker can control the vote, they can force the DAO's smart contract to transfer all its treasury funds to them.
In most DAOs, your voting power is directly proportional to the number of governance tokens you hold (1 Token = 1 Vote). This mechanism is vulnerable to a **"Whale Attack."**
If a single person or cartel (a "whale") controls over 50% of the voting tokens, they can approve any proposal, no matter how harmful, without needing anyone else's permission. The DAO is no longer decentralized; it is controlled by the whale.
The biggest DAOs have billions of dollars in their treasuries, making them enormous targets for stake acquisition.
There are 100,000 total tokens in this DAO. A hostile whale needs over 50% of the vote (50,001 tokens) to pass a proposal that transfers 100% of the treasury.
**Total Available Votes: 100,000**
Remaining Unused Votes: 10,000
Required Quorum (Minimum Participation): **20,000 Votes**
Threshold to Pass: **50,001 FOR Votes**
A governance attack rarely happens with a straight majority vote. It's often masked by a legitimate-looking proposal with a hidden, malicious action.
A DAO proposal doesn't just pass text; it often passes a set of instructions (code) for the main smart contract to execute. If a proposal looks harmless on the front end but contains a malicious function call in the background, the DAO can be drained.
**Example:** A proposal titled "Upgrade Votng Efficiency" but its code is `DAO_Treasury.transfer(Attacker_Address, ALL_FUNDS);`
A proposal titled "Fee Structure Optimization" is up for vote. The underlying code is complex, but one line is highly suspicious. **Click the line of code that looks vulnerable or malicious.**
Smart contracts are immutable, but their governance rules can be designed to withstand attacks. This requires setting secure parameters.
| Defense Mechanism | Description | Security Benefit |
|---|---|---|
| **Quorum Requirement** | A minimum percentage of total tokens must participate in the vote for it to be valid. | Prevents attacks by whales in low-turnout votes. |
| **Timelock Delay** | Once a proposal passes, the execution is delayed (e.g., 48 hours), giving the community time to react to a malicious proposal. | Provides a "panic button" period for white hats to coordinate defense or a rescue plan. |
| **Conviction Voting** | Voting power is not just based on *amount*, but also *how long* the tokens have been staked, favoring long-term, stable members. | Increases the cost and time for an attacker to acquire sufficient voting power. |
You are configuring a new DAO. You must choose the parameters that maximize security, even if they slow down governance.
**Quorum Setting:**
**Timelock Setting:**
Question 1: The core security threat in a 1-Token, 1-Vote DAO system is the ability for a single entity to:
Question 2: What crucial defense mechanism provides the community with a "panic button" time to stop a malicious, passed proposal?
Question 3: What is a **Quorum Requirement** designed to prevent?
Question 4: In a malicious proposal, where is the dangerous code often hidden?
Question 5: What mechanism favors long-term, committed token holders?