A bulk of the largest tokens by volume face significant governance risks, failing to follow best practices to prevent exploits and other security threats.
According to an analysis from Web3 firm De.Fi, of the 429 tokens with governance frameworks, nearly 75% have risk factors associated with their contracts, including hidden owners and wallets with special permissions.
Only 16.6% of the analyzed contracts are managed by multisig wallets, which require up to five different private keys to approve any transaction. The application is seen as a tool for reducing phishing and malware-based hacking risks, notes the report.
In addition, over 38% of the token contracts are managed by a wallet or externally owned account, which means that a “wallet can call privileged functions of the contracts anytime.” As per De. Fi’s analysis, the degree of risk may differ depending on the permissions assigned:
“For example, if the wallet can only set a protocol fee within reasonable constant limits, there is no risk here. But, if it can replace critical addresses the contract interacts with, such as price oracles and vault strategies, user assets get under a direct danger.”
Another red flag identified in 6.8% of contracts is hidden ownership, which allows the contract creator to revoke ownership and veto votes. Also, only 10% of the tokens have renounced contracts — meanin their creators have given up their right to modify their code or governance features, thus enhancing decentralization.
“An alarming number of projects leave the security of their entire treasuries in the hands of one wallet owner. Most of the time these owners are hidden meaning there’s no way for a DAO participant to verify who manages the funds. This has led to billions of dollars in access control vulnerabilities, exploits and rug pulls,” said Artem Bondarenko, tech lead at De.Fi.
Governance tokens are a type of cryptocurrency that grants holders the right to participate in decision-making processes related to a blockchain project, protocol, or decentralized autonomous organization (DAO).
De.Fi’s Rekt database shows the top three governance hacks resulted in $414 million in losses, including Beanstalk Farm’s flash loan attack through a governance proposal, Multichain’s smart contract exploitation, and Tornado Cash’s exploit via a malicious proposal.
“It’s important to note however that while governance parameters may suggest a token is at risk, it doesn’t necessarily lead to a breach in security. Many companies with governance tokens have security departments and advanced security practices not necessarily publicly tracked or on-chain,” added Bondarenko.
From the analysis, approximately 14% of the contracts lack governance mechanisms entirely or do not disclose them.