The DAO Illusion: Are We Being Played by the Whales?

One of the core principles of "crypto" or "web3," regardless of the term you prefer, is decentralization. The concept is simple yet profound. Rather than relying on a centralized board of directors or a single decision-maker, why not empower an entire decentralized network to make the decisions collectively? That’s the main idea behind decentralized autonomous organizations (DAOs).

Most decentralized protocols are supposedly governed by DAOs, where token holders make all the decisions. The theory is that these stakeholders, having skin in the game, will make decisions that benefit the protocol.

On paper, it sounds ideal. But here's the catch: your voting power is directly tied to the number of tokens you stake.

In essence, More tokens = More control.

This setup inevitably favors the whales, creating a system that pretends to be decentralized but is actually anything but. Today, we’ll expose two blatant instances where whales have shamelessly exploited this rigged system to bend votes to their will.

Compound: How Humpy Exposed the Cracks in DAO

On July 28th, 2024, Compound's DAO passed a controversial proposal that pretty much exemplifies this issue. A notorious Compound whale known as Humpy directed a whopping 499,000 COMP tokens—worth ~$25M at the time—into a yield-bearing protocol controlled by his group, the "Golden Boys."

Why this was such a big deal? It pretty much gave the Golden Boys near-total control over Compound’s governance, effectively turning a decentralized protocol into their personal fiefdom. 

A Sketchy History

Keep in mind, this wasn’t the first time Humpy tried something like this.

He has tried and failed to push similar proposals before, seeking 92,000 COMP each time. His notorious history includes clashes with the Balancer community in 2022 and accusations of governance manipulation with Sushi.

Humpy’s takeover of Compound governance exposes the glaring weaknesses in DAO structures. While DAOs are touted as the epitome of decentralized decision-making, the reality is often far from the ideal. Voting power directly tied to token holdings turns governance into a playground for the wealthy. 

This so-called "decentralization" is easily hijacked by whales like Humpy, who can accumulate tokens and push their agendas with impunity.

A “DAO Raid”

This blatant power grab has sparked outrage in the COMP community. Many have argued that this is akin to a "DAO corporate raid." In the traditional financial world, such manipulative tactics would be deemed illegal. However, DAOs operate in a legal grey area, allowing whales to exploit governance systems for personal gain under the guise of decentralized decision-making.

To prevent future attacks, some propose more robust mechanisms, such as a "tribune of the plebs" approach that allows a veto power to block proposals not from whitelisted wallets.

Regardless, Humpy’s power play at Compound Finance is a wake-up call for the entire DeFi space. 

MakerDAO

In 2020, a MakerDAO governance vote was manipulated through the use of a flash loan by B Protocol as they sought whitelist access to MakerDAO’s price oracle.

Flash loans are a type of loan in the decentralized finance (DeFi) world where you can borrow money without putting up any collateral as security. Here's the twist: you have to borrow and pay back the loan within the same transaction. If you can't pay back the loan in that short time, the whole transaction is canceled as if it never happened. This makes flash loans a unique and powerful tool, but also risky if used improperly.

On October 23, 2020, B Protocol submitted a proposal for approval. Three days later, they executed a multi-step transaction, borrowing synthetic Ether as collateral to secure $7 million worth of MKR tokens. These MKR tokens were used to pass the vote and return it to the lenders.

For their part, B Protocol was transparent about their actions, informing MakerDAO of the voting irregularities as soon as they became aware.

Discussions began to implement countermeasures against the malicious use of flash loans in governance. Immediate steps included giving MKR holders extra time to react to attacks and disabling certain functions for governance participants.

This incident is interesting for two reasons:

1. The incident happened with MakerDAO, widely regarded as one of the best-governed DAOs.

2. DAO votes could be easily maneuvered by flash loans

Mochi Inu and Curve Wars

In November 2021, Mochi Inu, a relatively new DeFi project, launched a bold governance hack against Curve. The goal? To siphon rewards from Convex Finance, a yield farming protocol built on Curve, straight into Mochi Inu's pockets.

Mochi Inu orchestrated a Curve Pool that lured in a staggering $170.2 million in stablecoins and their own USDM. Mochi swapped $46 million in USDM for DAI, then converted DAI to ETH, and used the ETH to amass a colossal hoard of CRV tokens. These CRV tokens were then locked to produce veCRV, the voting token in the Curve ecosystem, granting Mochi Inu significant sway in Curve’s governance. The strategy? Inflate rewards to their pool, draw in more investment, buy more CRV, and rinse and repeat, creating a vicious cycle of escalating control.

Curve’s Response

Curve wasted no time in retaliating. They assembled an Emergency DAO, a rapid-response team with limited governance powers over CRV reward emissions, and swiftly cut off the rewards to Mochi Inu's pool, putting a halt to the governance attack. This unprecedented action shone a glaring light on the severe security flaws in DeFi governance.

Mochi Inu’s audacious move revealed just how frighteningly easy it is to exploit governance mechanisms. Critics argue that Mochi’s scheme was a cunning manipulation of existing loopholes in Curve’s governance model. But if these loopholes can be exploited so easily, it raises serious, uncomfortable questions about the very foundation of these models. Why do these gaping vulnerabilities exist in the first place? How can we trust such flawed governance structures to oversee multi-billion-dollar protocols?

The M6 Take

Here are some key takeaways and insights:

• Centralization Risks in a Decentralized System: Even in supposedly decentralized systems, power can easily become centralized in the hands of a few. The principle of "one token, one vote" inherently favors those with more resources, leading to a new form of centralization.

• Governance Vulnerabilities: The use of flash loans and large token holdings to manipulate votes demonstrates how easily governance mechanisms can be hijacked, leading to decisions that do not reflect the true will of the community.

• Need for Robust Safeguards: To protect the integrity of decentralized governance, more robust safeguards must be implemented. Ideas like time-lock mechanisms, quorum requirements, and veto powers for minority token holders could help prevent governance takeovers. The concept of a "tribune of the plebs" to counterbalance whale influence is worth exploring further.

• Transparency and Accountability: While B Protocol was transparent about their use of flash loans, not all actors will be. Ensuring that all governance actions are transparent and accountable can help deter malicious activities and build trust within the community.

• Community Engagement: Active community engagement and education are vital. Ensuring that all token holders are informed and involved in governance can help mitigate the risk of manipulation. Encouraging a culture of participation and vigilance can empower the community to safeguard its protocols.

The ultimate goal of decentralized governance is to create systems that are resilient, fair, and truly representative of the community's interests. Continuous innovation and adaptation in governance models are essential to achieving this vision. By learning from past mistakes and actively seeking improvements, the DeFi space can build more robust and democratic governance structures.