The Mad Money Attack

Last week I talked to someone designing their own DAO with a particular emphasis on getting the incentives right. One of their pieces of feedback for Foundry’s current design is: what prevents an attacker from buying a bunch of FRY, then depositing it into Governance, such that they instantaneously attain de-facto veto power?

Let’s start with a silly but instructive example. Foundry embarks on an Operation Freedom Finger, and decides to begin paying hundreds of people by the hour to stand outside the US White House, holding up their middle finger.

This enrages the US government, and they call all their experts together to discuss how to stop this.

The US throws a bunch of money at accumulating FRY on the open market. Assuming Foundry proposals have a pass threshold of 66%, and 10% of total FRY is already in governance, if the US government accumulates 15% of FRY they could enter Foundry governance and stop the middle finger mischief, vetoing any proposal to pay out the wage of those hard-working middle-finger-wavers. Operation Freedom Finger would be shut down.

More seriously, the government could then also capture all Foundry assets held in the Treasury. This includes not just coins but also .eth domains and potentially influence over Foundry products.

It’s important to note that this is not an economically motivated attack. If it were, our design criteria would be simpler: the cost of the attack (buying up all that FRY) must remain greater than the payoff (control over Treasury assets). But in this scenario, the adversary is both incredibly wealthy and enraged. Capturing the Treasury is only a means to an end: to bash and bully Foundry into stopping what it’s doing.

For Foundry to be unbullyable, this attack must be neutered.

Here are some thoughts on how to mitigate this danger.

Selling the Farm

More Zeros on the Check, Please

If a Mom and Pop farm is aggressively bought by some greedy corporate pig, this isn’t necessarily a sad story for the family. If they ask for a ludicrously high price, they can simply leave and buy another, bigger farm (or retire!)

If FRY holders can similarly walk away from such an attack with more money than they had beforehand, this is also a good scenario. Immediately, the FRY holders profited; and ultimately, the same entrepreneurial spirit that brought Foundry into existence will form again, this time with multiplied capital. Perhaps the result is that three DAOs come into existence, each bigger than Foundry was originally, with one solely dedicated to Operation Freedom Finger (after all, it turned out to be quite profitable!)

Leaving the Crops Behind

This would still, however, involve the capture of all Foundry Treasury assets. This could be tokens (for speculation or external DAO control); .eth domains; profit income from products like DAIHard and SmokeSignal; and whatever else Foundry directly owns or controls.

This would be a loss, but not an unrecoverable one. The systems behind the .eth domains would remain on IPFS, for example, and could be delivered by other mirrors. And with the current design, the attack would take a full week to complete, giving the community enough time to reorient and migrate in the appropriate ways.

(Game) Theoretical

Now, it’s unlikely this will happen–but only if the above dynamic is in place as a threat. Game theoretically, an angry attacker would be dissuaded from such an attack, because they’ll ultimately just fund even more of the same activity. Similar to the burning mechanism in a burnable payment, the scenario may never or only rarely be exercised, but is necessary as an endgame condition to affect what happens before.

But How?

Sounds great! But it’s not so clear how to make this happen.

In the current design, the attacker would of course skyrocket the price of FRY–but as soon as the attack became clear, not only FRY holders but ETHFRY liquidity holders would be scared off. And left behind, unable to exit immediately, would be the governors–the crucial piece of Foundry’s intelligence. Facing the “waiting room” to get out of governance, they’ll be able to get out before the attacker but only after all other FRY and ETHFRY holders left.

Liquidity Governance

Schalk will be posting soon on an idea to require that ETHFRY liquidity should be deposited to participate in governance (rather than just FRY). This would ensure that the attacker “puts down a rug” for others to exit at a profit while he executes his attack.

But a downside is that in normal operation, Governors would be less tied to the success or failure of their decisions: if FRY skyrockets, they’d be holding ETHFRY which only saw some of the FRY gains; and if FRY falls, they’d be protected from some of the damage of the fall.

Put another way, if Governors hold FRY, they want nothing more than to raise FRY’s price. But if they hold ETHFRY liquidity, they could settle for simply raising ETHFRY volume. It’s not at all clear that this incentive alignment would be positive for Foundry.