Skip to main content

Governance Attack Defenses

Every known governance attack vector has a specific, layered defense built into GNDX Protocol. This page documents each attack and its mitigation.

Attack Defense Matrix

Attack VectorMethodDefense Mechanism
Flash loan attackBorrow massive $GAME in one block, vote, returnveGAME requires tokens locked before proposal snapshot — flash loans have zero voting power
51% takeoverAcquire majority of $GAME to control all votesAttacker must lock tokens for years (can't liquidate). 48h timelock gives community warning to mobilize.
Low-quorum sneakVote on obscure proposal when community is inactive5% quorum: significant holder participation is mandatory. 12-day minimum public visibility.
Treasury drainPass proposal to send funds to attacker's address7-day timelock on large amounts, Guardian pause available during timelock window
Parameter manipulationVote to set fees to 100% or single token weight to 100%Hardcoded parameter bounds in smart contracts — Governor reverts regardless of vote outcome
Sybil attackCreate many small accounts to game quorumQuorum is % of veGAME supply, not address count — splitting to many wallets doesn't help

Flash Loan Defense in Depth

Flash loans are the most common attack vector against on-chain governance. GNDX's defense:

  1. Votes require veGAME, not raw $GAME
  2. veGAME requires tokens locked before the proposal snapshot
  3. The snapshot is set at the block when the proposal is submitted
  4. Tokens locked after the snapshot have zero voting power for that proposal
  5. Flash loans cannot lock tokens before a snapshot that is set in the same transaction

An attacker with infinite flash-loan capital has exactly zero influence over GNDX governance.

51% Takeover Defense in Depth

Acquiring a majority of $GAME voting power requires:

  1. Purchasing a large fraction of 200M tokens (visible, expensive, illiquid)
  2. Locking those tokens in veGAME (irreversible for the lock duration)
  3. The attacker cannot exit during the attack — they are locked in

Even if an attacker succeeded:

  • The 48-hour timelock gives the community time to observe and respond
  • The Guardian Multisig can pause for 72 hours if an active exploit is occurring
  • Parameter bounds in the smart contract prevent the most damaging actions regardless of vote

Hardcoded Bounds as Last Line of Defense

Even if governance is fully compromised, smart contract bounds prevent catastrophic outcomes:

  • Max token weight: 10% — attacker cannot concentrate the index into a single token they control
  • Max streaming fee: 1.5% — attacker cannot drain holders via fees
  • Guardian pause auto-expiry: 72h — attacker cannot permanently freeze protocol using Guardian keys
  • Fixed $GAME supply — attacker cannot dilute existing holders by minting new governance tokens

These are enforced in code. A governance proposal that attempts to exceed these bounds will revert at execution — not at vote time. The smart contract is the final arbiter, not governance.

Treasury Drain Defense

Large treasury allocations (>$200K) have additional protections:

  • 7-day timelock (vs. 48h standard)
  • Community can observe the pending action and exit via redemption during the timelock
  • Guardian can pause if unusual treasury activity is detected

Parameter Manipulation Defense

The GNDXGovernor checks parameter bounds before executing any calldata:

// Before execution:
if (selector == FeeCollector.setStreamingFeeBps.selector) {
    if (value < 25 || value > 150) revert ProposalExceedsParameterBounds(...);
}
if (selector == IndexVault.updateWeight.selector) {
    if (weight > 1000) revert ProposalExceedsParameterBounds(...);
}

A proposal can pass with 100% of votes and still fail to execute if its calldata violates bounds.

Emergency Response Protocol

If the Guardian Multisig activates the pause:

  1. Guardian publishes public statement explaining reason within 2 hours
  2. Emergency governance proposal submitted within 24 hours
  3. Community votes with compressed 48-hour window
  4. Outcome: patch deployed and unpaused, OR pause allowed to expire at 72 hours

The Guardian cannot extend the pause. It expires automatically.

See also: Security · Guardian Multisig

On this page