Understanding Security Issues in the DAO Governance Process

IF 6.5 1区计算机科学 Q1 COMPUTER SCIENCE, SOFTWARE ENGINEERING

IEEE Transactions on Software Engineering Pub Date : 2025-02-18 DOI:10.1109/TSE.2025.3543280

Junjie Ma;Muhui Jiang;Jinan Jiang;Xiapu Luo;Yufeng Hu;Yajin Zhou;Qi Wang;Fengwei Zhang

{"title":"Understanding Security Issues in the DAO Governance Process","authors":"Junjie Ma;Muhui Jiang;Jinan Jiang;Xiapu Luo;Yufeng Hu;Yajin Zhou;Qi Wang;Fengwei Zhang","doi":"10.1109/TSE.2025.3543280","DOIUrl":null,"url":null,"abstract":"The Decentralized Autonomous Organization (DAO) has emerged as a popular governance solution for decentralized applications (dApps), enabling them to manage their members across the world. This structure ensures that no single entity can arbitrarily control the dApp without approval from the majority of members. However, despite its advantages, DAOs face several challenges within their governance processes that can compromise their integrity and potentially lead to the loss of dApp assets. In this paper, we first provided an overview of the DAO governance process within the blockchain. Next, we identified issues within 3 key components of the governance process: the Governance Contract, Documentation, and Proposal. Regarding the Governance Contract, malicious developers could embed backdoors or malicious code to manipulate the governance process. In terms of Documentation, inadequate or unclear documentation from developers may prevent members from effectively participating, increasing the risk of undetected governance attacks or enabling a small group of members to dominate the process. Lastly, with Proposals, members could submit malicious proposals with embedded malicious code in an attempt to gain control of the DAO. To address these issues, we developed automated methods to detect such vulnerabilities. To investigate the prevalence of these issues within the current DAO ecosystem, we constructed a state-of-the-art dataset that includes 3,348 DAOs, 144 documentation, and 65,436 proposals across 9 different blockchains. Our analysis reveals that many DAO developers and members have not given sufficient attention to these issues. For the Governance Contract, 176 DAOs allow external entities to control their governance contracts, while one DAO permits developers to arbitrarily change the contract's logic. In terms of Documentation, only 71 DAOs provide adequate guidance for their members on governance processes. As for Proposals, over 90% of the examined proposals (32,500) fail to provide consistent descriptions and code for their members, highlighting a significant gap in transparency within the DAO governance process. For a better DAO governance ecosystem, DAO developers and members can utilize the methods to identify and address issues within the governance process.","PeriodicalId":13324,"journal":{"name":"IEEE Transactions on Software Engineering","volume":"51 4","pages":"1188-1204"},"PeriodicalIF":6.5000,"publicationDate":"2025-02-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Software Engineering","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10891888/","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, SOFTWARE ENGINEERING","Score":null,"Total":0}

引用次数: 0

Abstract

The Decentralized Autonomous Organization (DAO) has emerged as a popular governance solution for decentralized applications (dApps), enabling them to manage their members across the world. This structure ensures that no single entity can arbitrarily control the dApp without approval from the majority of members. However, despite its advantages, DAOs face several challenges within their governance processes that can compromise their integrity and potentially lead to the loss of dApp assets. In this paper, we first provided an overview of the DAO governance process within the blockchain. Next, we identified issues within 3 key components of the governance process: the Governance Contract, Documentation, and Proposal. Regarding the Governance Contract, malicious developers could embed backdoors or malicious code to manipulate the governance process. In terms of Documentation, inadequate or unclear documentation from developers may prevent members from effectively participating, increasing the risk of undetected governance attacks or enabling a small group of members to dominate the process. Lastly, with Proposals, members could submit malicious proposals with embedded malicious code in an attempt to gain control of the DAO. To address these issues, we developed automated methods to detect such vulnerabilities. To investigate the prevalence of these issues within the current DAO ecosystem, we constructed a state-of-the-art dataset that includes 3,348 DAOs, 144 documentation, and 65,436 proposals across 9 different blockchains. Our analysis reveals that many DAO developers and members have not given sufficient attention to these issues. For the Governance Contract, 176 DAOs allow external entities to control their governance contracts, while one DAO permits developers to arbitrarily change the contract's logic. In terms of Documentation, only 71 DAOs provide adequate guidance for their members on governance processes. As for Proposals, over 90% of the examined proposals (32,500) fail to provide consistent descriptions and code for their members, highlighting a significant gap in transparency within the DAO governance process. For a better DAO governance ecosystem, DAO developers and members can utilize the methods to identify and address issues within the governance process.

查看原文本刊更多论文

理解DAO治理过程中的安全问题

去中心化自治组织（DAO）已经成为去中心化应用程序（dApps）的流行治理解决方案，使它们能够管理世界各地的成员。这种结构确保没有任何一个实体可以在未经大多数成员批准的情况下任意控制dApp。然而，尽管有其优势，dao在其治理过程中面临着一些挑战，这些挑战可能会损害其完整性并可能导致dApp资产的损失。在本文中，我们首先概述了区块链中的DAO治理过程。接下来，我们确定了治理过程的3个关键组成部分中的问题：治理契约、文档和提案。关于治理契约，恶意的开发人员可以嵌入后门或恶意代码来操纵治理过程。在文档方面，来自开发人员的不充分或不清楚的文档可能会阻止成员有效地参与，增加未被发现的治理攻击的风险，或者使一小群成员控制流程。最后，对于提案，成员可以提交带有嵌入恶意代码的恶意提案，以试图获得对DAO的控制。为了解决这些问题，我们开发了自动检测此类漏洞的方法。为了调查当前DAO生态系统中这些问题的普遍性，我们构建了一个最先进的数据集，其中包括9个不同区块链的3,348个DAO， 144个文档和65,436个提案。我们的分析表明，许多DAO开发人员和成员对这些问题没有给予足够的重视。对于治理契约，176个DAO允许外部实体控制其治理契约，而一个DAO允许开发人员任意更改契约的逻辑。在文档方面，只有71个dao为其成员提供了关于治理过程的适当指导。至于提案，超过90%的审查提案（32,500）未能为其成员提供一致的描述和代码，突出了DAO治理过程中透明度的重大差距。为了更好的DAO治理生态系统，DAO开发人员和成员可以利用这些方法来识别和解决治理过程中的问题。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IEEE Transactions on Software Engineering 工程技术-工程：电子与电气

CiteScore

9.70

自引率

10.80%

发文量

724

审稿时长

6 months

期刊介绍： IEEE Transactions on Software Engineering seeks contributions comprising well-defined theoretical results and empirical studies with potential impacts on software construction, analysis, or management. The scope of this Transactions extends from fundamental mechanisms to the development of principles and their application in specific environments. Specific topic areas include: a) Development and maintenance methods and models: Techniques and principles for specifying, designing, and implementing software systems, encompassing notations and process models. b) Assessment methods: Software tests, validation, reliability models, test and diagnosis procedures, software redundancy, design for error control, and measurements and evaluation of process and product aspects. c) Software project management: Productivity factors, cost models, schedule and organizational issues, and standards. d) Tools and environments: Specific tools, integrated tool environments, associated architectures, databases, and parallel and distributed processing issues. e) System issues: Hardware-software trade-offs. f) State-of-the-art surveys: Syntheses and comprehensive reviews of the historical development within specific areas of interest.