Web3 firm De.Fi report shows that significant governance risks are present in nearly 75% of the top tokens by volume as they do not adhere to best practices to prevent exploits and other security threats.
Nearly 75% of the 429 tokens with governance frameworks, according to an analysis by Web3 firm De.Fi, has contract-related risk factors, such as concealed owners and wallets with special permissions.
Multisig wallets, which necessitate the utilization of a maximum of five distinct private keys for transaction approval, administer a mere 16.6% of the contracts under examination. As stated in the report, the application is considered a tool for mitigating the risks associated with malware and phishing cyberattacks.
Furthermore, it is worth noting that a wallet or externally owned account manages more than 38% of token contracts. This implies that a “wallet may invoke privileged functions of the contracts at any time.” The risk level may vary based on the permissions granted, according to De Fi’s analysis:
“For example, if the wallet can only set a protocol fee within reasonable constant limits, there is no risk here. But, if it can replace critical addresses the contract interacts with, such as price oracles and vault strategies, user assets get under a direct danger.”
6.8% of contracts contain a hidden ownership provision that grants the contract creator the ability to revoke ownership and veto ballots. Additionally, 10% of the tokens have entered into renounced contracts. This signifies that their creators have relinquished their authority to alter the tokens’ code or governance characteristics, complementing decentralization.
Many initiatives entrust a single wallet proprietor with the security of their entire treasuries. Typically, these proprietors remain concealed, preventing DAO participants from verifying the identity of the fund manager.
This has resulted in access control vulnerabilities, exploits, and rug pulls worth billions of dollars, according to Artem Bondarenko, tech director at De.Fi.
Governance tokens, a form of cryptocurrency, give their possessors the privilege to engage in decentralized autonomous organization (DAO), blockchain projects, or protocol-related decision-making processes.
De.Fi’s Rekt database reveals that the top three governance breaches caused $414 million in losses, including smart contract exploitation by Multichain, Beanstalk Farm’s flash loan attack via a governance proposal, and Tornado Cash‘s exploit via a malicious proposal.
“However, it is critical to emphasize that although governance parameters may indicate that a token is vulnerable, it does not invariably result in a security breach.”
“Numerous organizations that possess governance tokens have sophisticated security departments and procedures that are not necessarily on-chain or publicly tracked,” Bondarenko continued.
According to the analysis, around fourteen percent of the contracts need to have governance mechanisms or disclose them.