Exploring the social engineering attacks on DAO:
1. What is a DAO?
Dao stands for Decentralised Autonomous Organisation. Okay… but what does that mean? Let’s break it down word by word. Decentralised means no single party is its owner, and anyone can become a part of it. Moving to the word autonomous means something functioning with less human intervention. An organisation is a group of people coming together for a goal or cause.
But what does it have to do with blockchain? As there are companies in our current world, companies have a product, and products have users. The company is valued based on different parameters, and different board members decide the company’s future. DAO is exactly that. The only differences are that it is all on a blockchain, completely transparent, and no country’s government can control it. WHO DOES NOT WANT THAT? DAOs carry tremendous possibilities, but that’s a different topic in itself.
2. Cybersecurity is a big pool
“Cyber Security” you must have heard this term a lot, but most do not have a clear definition. Cyber security is not just about passwords or money. It is a whole complete world in itself. Without proper guidance, you are always at a high risk of getting an unknown vulnerability exploited. Cyber security ranges from a random conversation with a stranger on the internet to all those fancy movie scenes you watch. Social Engineering is one such part of cyber security. Let’s explore it.
2.1 What is social engineering?
Social Engineering in the context of cyber security is simply the art of gathering information or compromising the system or structure by manipulating users and exploiting human error to gain private information or valuables. Sounds complex? Let me help you.
You must have seen the security questions that some websites keep to verify it’s you if you forget passwords. Now imagine a scenario where you meet a random guy on discord and have a bit of chit-chat, just some basic stuff like where you are from and which book you like to read. Which was the first book you ever read? Stuff like that, now. This is a security question on many websites “What’s the name of your favourite book?” He has the answer already; he may use it to compromise your account. That is just a simple way of explaining social engineering, the scope goes very far from this simple example, but the core concepts are the same.
2.2 Social Engineering in DAO
How can this “Social Engineering” or “Social Attacks” be used in the case of DAO?, This blog is all about that. We will explore some common ways malicious users can break DAO and learn how it can be prevented.
3. Treasury Exploits
Before we understand the Treasury exploits, we should know how DAO works, how decisions are taken, who takes the decisions etc.
As we know, DAOs are exactly like any other organisation. As in regular organisation, the board of members decide by vote. In DAOs, some people vote for a particular action, and if the majority agrees, the decision is carried out.
How does voting happen in DAOs?:-
As in regular organisations, the voting power resides with board members in proportion to how much they own the organisation in terms of shares and assets. DAOs use a similar mechanism, DAOs have a “Governance token” issued to people who want to be part of the organisation, and the people who hold much “Governance Token” are more in control.
3.1 What are soft treasury exploits?
Soft treasury exploits are when a proposal passes to grant funds to a wallet in exchange for some work to be done, but the work does not get completed, and the receiver simply keeps the money. Let’s understand it better.
Now, Imagine a scenario, Some regular organisation named Y needs some work done, and some board members suggest hiring a company named Y to do the work, and now the board members take the vote. If the vote exceeds the majority company, Y is given the project. But, What if Company Y just vanishes after receiving the funds for the project? It will be a disaster.
This is one of the main security issues in DAOs, There have been many instances when the DAO community hires developers, content creators etc., to get the work done, but later on, they find out that progress has yet to be made, and their funds are gone.
3.2 What’s the solution?
In regular organisations, to prevent this type of misconduct, we take the help of legal authorities. The two organisations create a contract and face penalties if their respective end is violated. But what in web3? As we know here, “Code is the law”, so we use that fact. Instead of giving the funds in one go, we can decide to stream them over time, and this also creates room for stopping the stream by vote if any party fails to deliver, and all this can be done with the help of a Smart Contracts there are some protocols made just for this purpose.
Photo by Priscilla Du Preez on Unsplash
As discussed, every organisation has board members, some more important than others, whose opinions and decisions are crucial in the meetings. It may be because they hold a high share or bring value to the organisation. But imagine for a second what would happen if they suddenly went missing and just vanished. Imagine how it would impact the organisation. However, in the real-world scenario, the person can be contacted somehow, but is it the case in DAO? Let’s find out.
In the case of DAOs, as it is very similar to regular organisations, the situation is almost the same if some important user is ghosted. It may even end up locking the funds for months or years of others based on the type of governance system in place. In short, it will be very damaging to DAO Security, and the worst part is that you can not even make contact if the person decides because it is all virtual in DAO.
The intention behind ghosting can vary, it can be because the person had malicious intent or going through a health crisis or anything, but this is a huge risk as people put millions of dollars into governance. Hence, it is better to keep a “deadman’s switch” let’s learn what this switch is.
4.1 What’s the solution?
Deadman’s switch is the solution, but what is that? and what’s with this sinister name? It’s a mechanism that’s put in place to deal with your asset in case you die or become responsive. That’s cold. It can help you immensely, and I believe everyone in crypto should have this.
So basically how it works is, every so often, an email check is sent to the member checking whether he/she is responsive; if you reply, its all right, but if you don’t, then a chain of events is triggered which involves sending the crucial information to the ones you care about like your private keys, wallet addresses etc. You can find such services for yourself online.
5. Impersonation attack
Photo by Phil Shaw on Unsplash
Let’s answer a fun question, How would you destroy an organisation? It’s simple, corrupt the head employees. An organisation can’t last much, then. What would happen if a single person was head of many departments and he got corrupt? It’s the end of the organisation.
A similar attack can be carried out in DAO. It’s scary. As we know, DAO works according to the community. Some people create a good reputation in the community. Some people become powerful and impactful, and others attach a sense of authority to them. This can be found in any community. These people are also given privileges in DAO as they are active, and their actions seem to favour DAO. These people can be elected to different higher positions. And all this community is active over different digital social groups, which are applications like discord, telegram etc., thus making it close to impossible to detect this type of attack.
What if someone creates multiple accounts and starts contributing to the community with different accounts? If he is good at it, his accounts will start to rise to positions of credibility. Although the community sees those accounts as separate human beings, they belong to only one person. Now, If the accounts rise to positions of credibility, think how much havoc they can bring upon the DAO.
If the person holds enough positions in DAO, he/she can sway the general direction. Affect all the crucial decision. All these account votes for one thing. All those accounts say the same thing and support the same agenda. This is like taking over the whole of the DAO. The attacker can socially engineer the DAO to put more funding into the projects of his interest or malicious project and end up draining all the funds. It Indeed is scary.
5.1 What’s the solution?
These attacks are hard to counter because the attacker blends with other community members, and it gets difficult to anticipate this kind of attack. The main solution for these attacks is to make the selection process hard. To reach a position of authority, they will have to face more difficulties and prove themselves. It is also advised to focus on building a larger dedicated community to reduce the risk of such attacks.
6. How can you improve DAO Security?
One potential way of tackling social attacks is to rely less on humans and make it all autonomous. This way, there will be no human intervention and no room for human error, but this is only sometimes possible.
The other simple answer is that you need a team of experts. There are numerous ways the protocol can be compromised. Thus, you need people with experience and expertise to secure the protocol, who knows how different hacks are carried out and how to tackle them.
We at QuillAudits have a team of experts who contribute immensely to our vision of making the web3 ecosystem safe so that more people can become part of this resolution. We are committed to securing it. Do visit our website and get your Web3 project secured!