DeFi Governance Attack Detection System
Governance attacks—often underestimated threat class. But governance—backdoor to any protocol: successful attack gives right to change any parameter, drain treasury, upgrade contracts to malicious versions.
Beanstalk Farms ($182M, April 2022)—attack executed via legitimate governance process. Attacker used flash loan for vote majority, passed evil proposal immediately.
Attack Types
Class 1: Flash Loan Governance - Borrow tokens, vote, return same tx. Works without voting delay.
Class 2: Whale Accumulation - Gradually accumulate tokens, then attack. Detection: anomalous fast accumulation patterns.
Class 3: Bribe and Coercion - Bribe delegates via Hidden Hand, Votium. Detection: spike in bribe activity.
Class 4: Coordination - Multiple seemingly independent addresses coordinately vote. Detection: graph analysis of funding sources.
Class 5: Proposal Complexity - Hidden malicious effect in complex proposal. Detection: automatic simulation.
On-Chain Components
Vote Weight Detector
Monitor voting power changes. Flag whale votes (>20% quorum).
Proposal Simulation
Automatically simulate execution. Detect: treasury drain, ownership changes, unknown upgrades.
Off-Chain Analytics
Graph analysis finds common funders. Bribe monitoring on Votium, Hidden Hand.
Alert Levels
INFO: New proposal, MEDIUM: Whale vote, HIGH: Rapid accumulation, CRITICAL: Simulation shows drain
Guardian multisig can only cancel proposals—preserves decentralization.
Timeline
Full system: 2–3 months. Basic: 4–6 weeks.