DAO Known Issues
DAOs are currently under development. Be sure to update to the latest Chia version prior to using the DAO primitive.
As of Chia version 2.1.4, the following DAO issues are known to exist:
Proposal Spam
Under normal circumstances, an attacker can create a malicious proposal to drain the DAO of its treasury. However, even if the attacker has secured enough YES
votes to meet the attendance_required
threshold to pass the proposal, the soft_close_length
will protect against this type of attack. As long as a sufficient number of NO
votes are added prior to the expiration of the soft_close_length
, the proposal (and the attack) will fail.
However, prior to creating this proposal, the attacker can use proposal spam to improve the chances of the attack's success.
The DAO wallet subscribes to PROPOSAL
coins by hinting the TREASURY_ID
in the memos
field upon the coin's creation. There is a limit on the number of items a full_node
will return to a wallet based on a subscribed puzzle*hash (including hinted coins):
trusted_max_subscribe_response_items
: 500000max_subscribe_response_items
: 100000
The attacker can take advantage of this limit by creating multiple coins, each of which contains a hint equal to the TREASURY_ID
. Eventually a wallet will no longer get any additional coin states for newer coins from a full_node
via the coin state subscription. This is the "proposal spam" part of the attack.
If the attacker has created a sufficient number of the aforementioned coins to reach the subscription limit, the malicious proposal will be invisible to the wallets of every other DAO member. If the members are not alerted to the existence of the malicious proposal in some other way, the soft_close_length
will eventually be reached, and the proposal will succeed.
Fake Proposals to lock DAO CATs
An attacker can create spam proposals with the intent of locking DAO_CATs into voting mode permanently. There are two ways to accomplish this:
- Create otherwise valid
PROPOSAL
coins which don't meet the proposal minimum amount (e.g. 0 or 1 mojo coins). - Create proposals without a timer coin.
In the event that such proposals are voted on by users, because the proposals can never be closed (even via self-destruct), any users who voted on these proposals will never be able to unlock the coins they voted with. Note that coins in this state could continue to be used to vote on other proposals.
The current mitigation to this is that the wallet will filter out any proposals which either don't meet the proposal minimum amount or don't have valid timer coins. It is strongly suggested to use the show_proposal
command with any proposal that you intend to vote on, and check that it is valid.
Changing a DAO's settings
Because each proposal is voted on and enacted independently, it is possible to have a situation where a proposal to change one or more of the DAO's settings passes while another proposal is active. In this case, the active proposal will take on the new rules imposed by the proposal to change the DAO's settings. This situation could cause the existing proposal to fail, even if it would have passed under the original rules. Other side effects are also possible.
Because of this anomaly, a vote for a proposal to change the DAO's settings could affect any of the DAO's other active proposals. Therefore, members are strongly encouraged to examine all open proposals when deciding whether to vote for a proposal to change the DAO's settings.