Leveraging the governance analytics of the top 500 tokens by Volume (out of which 429 have governance associated)
The top three largest governance hacks resulted in $414M in losses over the years
The report outlines the high/medium/low-risk practices in the industry and precautions investors can take
De.Fi, a leading Web3 Super App and creators of the REKT Database, releases new data on token governance and potential risk factors. The latest Governance Security report from De.Fi reveals that 74,6% of the tokens with governance from the top 500 tokens may pose risk factors associated with their governance contracts.
In an era where the crypto landscape is fraught with risks, resulting in billions of dollars in losses each year, De.Fi addresses the urgent need for enhanced security data and analytics. In response, De.Fi has released a comprehensive report on token governance. Governance grants token holders the right to participate in the governance of a protocol, allowing them to engage in decision-making processes through voting.
Our analysts present a study on governance types tracked on De.Fi’s Market Security Page, covering 429 tokens with governance amongst the top 500 tokens by market cap. A staggering 74,6% of the top 500 most popular tokens exhibit a potential risk in governance.
Key findings include:
38,2% are managed by Wallet (or EOA); this means that the wallet can call privileged functions of the contracts anytime. The risk degree depends on how critical these functions are. For example, if the wallet can only set a protocol fee within reasonable constant limits, there is no risk here. But, if it can replace critical addresses the contract interacts with, such as price oracles and vault strategies, user assets get under a direct danger.
16,6% are managed by Multisigs, considered a medium to lower risk practice due to requiring approval from up to five different wallet owners for any transactions, reducing the risks of phishing and malware-led hacking.
10,2% are governed by Smart Contracts, which can be classified as medium risk because it is impossible to predict and verify the behavior of these contracts, as well as opportunities for scams or exploits.
10% have Renounced contracts, indicating that all governance has been revoked.
6,8% have Hidden Owners, posing a risk as the contract creator can revoke ownership, granting exclusive control over token contract modifications. This allows the hidden owner to VETO all votes once ownership is revoked.
1,6% employ Masterchef, considered a safe practice as it involves advanced smart contracts governing actions such as claiming rewards, restaking, and unstaking.
1,2% use Governance, representing a low-risk category. The industry standard for governance contracts is the Governor contract originally developed by Compound.
1,2% have Timelocks that are used to delay the execution of a transaction until a specified time in the future. Primarily adopted for safety measures, but can be bypassed. This function can be used also for controlling token sales on the open market.
Interestingly, among the Top 500 coins, approximately 14.2% either lack governance mechanisms entirely or have not disclosed such information.
Artem Bondarenko, Tech Lead at De.Fi said:
“An alarming number of projects leave the security of their entire treasuries in the hands of one wallet owner. Most of the time these owners are hidden meaning there’s no way for a DAO participant to verify who manages the funds. This has led to billions of dollars in access control vulnerabilities, exploits and rug pulls.”
“It’s important to note however that while governance parameters may suggest a token is at risk, it doesn’t necessarily lead to a breach in security. Many companies with governance tokens have security departments and advanced security practices not necessarily publicly tracked or on-chain,” added Artem Bondarenko.
What are the risks?
Data from De.Fi’s Rekt Database highlights the significant impact of governance exploits in the industry. The top three largest governance hacks resulted in $414M in losses over the years:
Beanstalk Farms fell victim to a flash loan, exploited for a governance proposal, leading to fund drainage from the pools.
Multichain experienced smart contract exploitation secured by a multi-party computation (MPC) system, functioning similarly to a multisignature wallet.
Tornado Cash’s Governance was exploited via a malicious proposal.
Taking Preventive Measures with De.Fi Security Market Page
Token holders participating as on-chain voters in these proposals need the right tools to analyze security parameters before engaging in new governance proposals.
As an addition to an already complete ecosystem of tools for DeFi investors, De.Fi’s latest Governance metrics aim to mitigate security risks for token holders by providing a clear view of safety aspects associated with various tokens. Users can explore top tokens and their security practices at De.Fi Security Market Page.
De.Fi is a pioneering Web3 Super App, featuring all-in-one Asset Management Dashboard, Social Profiles, Opportunity Explorer, and the world’s first Crypto Antivirus. With a trusted user base of 1.5M globally, De.Fi is committed to driving DeFi adoption by simplifying and securing the self-custody transition. The platform is endorsed by prominent partners, including OKX and Huobi, supported by former Coinbase M&A expertise, and trusted by leading institutions such as University College London and Coingecko.Website | Twitter | Security Market Page | Rekt Database