Threats to ENS DAO via Delegates

Original Post from ENS Discourse Forum

I have started a repo for threat analysis to DAO structures, starting with ENS. It’s in Python. I’ll update where there are any mentionable findings.

I ran some very basic simulations to access if the DAO can be ‘taken hostage’ by a select number of delegates by triggering on-chain votes with sufficient quorum of 1,000,000 votes. @AvsA pointed out that the top 5 delegates make up for sufficient quorum. I generalised the process to N number of delegates (‘colluders’) over the list of top 50 delegates scrapped from Sybil.org ShowKarma.xyz.

The full set of results can be found here. To summarise:

colluders  threats
3          0
4          24
5          2256
6          74173

‘colluders’ == number of rogue delegates
‘threats’ == number of possible combinations of rogue delegates with > 1,000,000 votes in total

These results suggest that a vote can be triggered by as few as 4 not-necessarily-top delegates. In comparison, in a utopic world where all 50 delegates have equal votes, quorum cannot be reached unless a minimum of 9 delegates collude.

In further detail, in each case I looked for reoccurrence of delegates across all combinations of attacks and gave them a cumulative threat score across all number of collusions; results are shown below. Notably, when N > 25, ‘colluders’ effectively become ‘agreers’ since now the majority decides the fate of the protocol.

The quorum question isn’t easy to answer if you are looking for one consistent value. if you are willing to adopt a dynamic value, then it is easier. The reason: the delegate vote distribution (as well as threat score) will always be a power law (Rankγ) like you said, but it could be of different index γ which decides the slope. In utopia, γ = 0. In real life, you’d still want this value to be as low as possible and the power law to be as flat as possible. Flatter power law will require more number of colluders to attack and therefore decrease the likelihood. Having said that, the delegate vote count is not fixed, so the power laws are always shifting. Currently, threat to ENS starts at 4 colluders and Brantly, Coinbase, Nick feature in roughly 80%, 65%, 40% of these hypothetical attacks respectively as a reference. What number do you think is safe? It is a dynamic question (γ is varying) and should be treated as such. Beyond that, even if you flatten the power law, there will still be a finite number of colluders who could attack the protocol.

However, it doesn’t hurt to run a simulation with a higher quorum and with the current delegate vote distribution, a quorum of 2,000,000 will require a minimum of 7-8 colluders. This is obviously far better than 4 colluders but not very safe in a general context. Other list of values below:

quorum       min_colluders
1,000,000    4
2,000,000    7-8
3,000,000    13-14
4,000,000    27-28

Having looked at these values, quorum should be raised to 2,000,000 in my opinion. The “attacks” are only attacks on quorum so relatively safe and don’t need a hyper-strict criteria. I will run more simulations for a full on-chain voting. If I find something meaningful, I’ll go ahead and attack the protocol. You know where to find me. :smiling_imp:

1 Like