On December 11 of this year Robert Forster (twitter) reported a governance attack vector recently made possible through multi-block MEV.
Essentially, it’s possible for an Ethereum validator to propose two blocks in a row. Because of this, it’s possible for the validator to:
In block 1:
- buy all of the POOL liquidity,
- Delegate POOL to themselves
- create a proposal
in block 2:
- vote yes on the proposal
- dump the POOL
The validator would only need to pay the exchange fees.
In this event, the validator would be able to create a proposal that transfers the entire treasury to themselves.
Compound and Uniswap have mitigated the issue by increasing the voting delay; thereby preventing the MMEV exploiter from voting on their proposal.
Our governance system, being a fork of the original Uniswap governor, is still susceptible to this attack.
However, we have two important lines of defense:
- We have a tremendous amount of active votes. We’d eliminate any malicious proposals no problem.
- Even if a malicious proposal sneaks by, we can cancel proposals whose proposers no longer hold POOL tokens. This is a kind of hidden feature; if someone creates a proposal they must have the delegated POOL tokens until the proposal is executed. Otherwise anyone may cancel the proposal.
Additionally, POOL liquidity on DEXs is quite thin and does not represent a threat. However, if that changes we’ll need to re-evaluate!
Many thanks to Robert Forster and his team at Ease! They have been paid a bounty of $2000 USDC Etherscan.