Management creates risk for 75% of high symptoms – report
By volume, most tokens face significant governance risks, not following best practices to prevent exploits and other security threats.
According to an analysis by Web3 company DeFi, of the 429 tokens in governance frameworks, nearly 75% have vulnerabilities associated with their contracts, including hidden owners and wallets with special licenses.
Only 16.6% of the analyzed contracts are managed by multisig wallets, which require up to five different private keys to approve any transaction. The application is intended as a tool to reduce the risks of phishing and malware-based hacking, according to a company report.
In addition, more than 38% of token contracts are managed by wallets or externally owned accounts, which means that “wallets can call specific functions of contracts at any time.” According to De.Fi's analysis, the amount of risk can vary depending on the permissions granted:
For example, if the wallet can only set the protocol fee within reasonable fixed limits, there is no risk here. However, user assets are directly at risk if the contract replaces the critical addresses with which the contract communicates, such as price negotiations and vault strategies.
Another red flag revealed in 6.8% of contracts is hidden ownership, which allows the contract creator to cancel ownership and veto votes. Also, only 10% of tokens have repudiated contracts – meaning their creators have given up the right to change their code or governance features, improving decentralization.
“A surprising number of projects put the security of entire vaults in the hands of a single wallet owner. Often these owners are hidden, meaning there is no way for a DAO participant to verify who manages the funds. This has resulted in billions of dollars in access control vulnerabilities, exploits, and rug pulls.
Governance tokens are a form of cryptography that grants the right to participate in decision-making processes related to a blockchain project, protocol, or decentralized autonomous organization (DAO).
Defeat's Rect database shows the Beanstalk Farm flash loan attack that resulted in a loss of $414 million, including management proposals, Multichain's smart contract exploitation, and Tornado Cash exploitation.
“But it's important to note that while management metrics may indicate a signal is at risk, it doesn't necessarily result in a security breach. Many companies with administrative tokens have security departments and advanced security practices that are not necessarily publicly monitored or on-chain,” Bondarenko added.
From the analysis, approximately 14% of the contracts do not have any management mechanisms at all or are not disclosed.
Magazine: Deposit Risk: What do crypto exchanges do with your money?
