Security announcement about DAO proposals
The core technical team has recently had the DAO and the staking pool contracts and their front end audited again by Hexens. We decided to make this announcement to address one of the points raised. For additional information about the audit, you can refer to this post.
The API3 DAO was built using the original version of the Aragon framework (referred to as “Aragon 1”), due to it being the most battle-tested option at the time. To implement proposal spam protection rules — such as requiring 0.1% voting power to create proposals, or stakers being limited to creating one proposal per week — we minimally customized the original Aragon voting app. The point that our auditors made is not related to this customization, and also applies to the original Aragon voting app.
The Aragon voting app has two parameters to implement consensus rules:
- Minimum support: Percentage of yeas in casted votes for a vote to succeed
- Minimum acceptance quorum: Percentage of yeas in total possible votes for a vote to succeed
The API3 DAO has two voting apps, for which these parameters were configured at contract deployment and have not been changed since:
- Primary voting app — 50% minimum support, 50% minimum acceptance quorum
- Secondary voting app — 50% minimum support, 15% minimum acceptance quorum
All of these parameters can be updated by passing a primary proposal (though minimum support cannot be smaller than minimum acceptance quorum). About this, the auditor points out (in paraphrased form):
- If minimum support is set to be smaller than 50%, it will be possible to pass proposals that the majority of the voting power is against. For example, if it is set to 15%, it will be possible to pass a proposal using 15% voting power, even if the remaining 85% would have voted against it.
- The contract implementation does not prevent minimum support from being set below 50%.
- If a primary proposal that sets minimum support to a small value gets passed (by mistake or deception at the DAO scale), anyone would be able to immediately execute malicious proposals without requiring a majority.
Therefore, do not vote for primary proposals that decrease the minimum support below 50%. You can recognize such a proposal by its function signature, changeSupportRequiredPct(uint64).
Arguably, some DAOs may be designed to be able to pass proposals despite a majority opposition, so the original Aragon implementation is not necessarily faulty. However, we would agree with the auditor that in the case of API3 DAO, this value should indeed not be reduced below 50%. To generalize this advice further, governance participants should not vote for any proposal whose implications they do not fully understand.