Audit dates:
-
DeXe DAO Studio is an advanced platform where a DAO can be created and governed in all of its aspects in one place.
DeXe is a DAO framework enabling users to launch decentralized autonomous organizations. DeXe DAO enables people to manage and use all governance tokens in a single interface across chains.
It also offers an expanded delegation system with a delegate reward mechanism, as well as providing different options for governance mechanisms.
Cyfrin recently conducted a comprehensive security review of DeXe Protocol over a period of 32 days. A total of 46 issues were found, including 3 critical, 9 high-risk, 14 medium-risk, and 4 low-risk.
The 3 critical vectors found were largely related to bypassed protections, the ability to manipulate voting systems, and alter voting power.
One of the critical issues found was being able to completely bypass all existing flash loan voting manipulation protections by taking advantage of DeXe’s advanced delegated voting system.
This attack is performed in one transaction via an attack contract and completely subverts the voting system by allowing an attacker to decide the outcome of proposals, even if they don't have the economic energy to do so.
We were able to successfully bypass all the existing flash-loan mitigations by leveraging delegated voting which allows users to delegate their votes to other users.
Another critical was able to purchase tokens for free from the token sale proposal and the remaining critical was able to completely eliminate the voting power of the ERC721Power NFT contract.
As voting power in DAOs is typically implemented via ERC20 & ERC721 tokens, any attack that steals or burns user tokens can destroy voting power.
— Numerous other findings of high severity were able to manipulate the voting system in various ways, bypass system restrictions, and cause loss of rewards.
With such a large codebase (over 6000 lines of code!), we knew we had to go into the attacker’s mindset and question ever developer assumption.
We especially focused on areas where the testing suite was weak, where integration between components was not tested thoroughly, and where there was a great amount of complexity.
Although the protocol had protections against flash loan exploits, we realized a gap in DeXe’s state machine could still open a vulnerability with devastating effect. This first critical finding, then drove us to dive deeper into the delegation system and the main governance pool contracts where we found other critical, highs, and medium vulnerabilities.
Especially when finding critical and high risk exploit vectors, our team felt it was necessary to build proofs of code - contracts which showcase how the attack would get done.
This was incredibly helpful for the DeXe team as they visualized how the protections they had set in place could be bypassed.
Cyfrin’s audit of DeXe DAO highlights the importance of conducting comprehensive security reviews when looking at on-chain governance.
Incubating security at every part of the developer’s journey, our research team proactively identified critical vulnerabilities that could have threatened the long-term success of the DeXe protocol.
Dedicated at fostering a safer Web3 industry, our thorough security research deepened our team’s understanding on governance and decentralized autonomous organizations, particularly looking at governance attacks available through on-chain governance.
Note: Considering the number of vulnerabilities found in this security review we recommended that DeXe DAO conducted a competitive audit.
Cyfrin has performed a thorough security review of the codebase in scope as of the date specified, which should not be construed as an endorsement of the protocol. Despite our comprehensive review, vulnerabilities may still exist, and we encourage users to conduct their own research before engaging.