Flash-loan governance attack → DAO admin

§ Context

Assumed environment: target DAO uses single-block snapshot voting (no time-weighted balance, no Compound-style checkpoint delay). A flash-loan source exists for the governance token.

§ Steps

1. 01
   Drain treasury / mint tokens / set feesExfiltration

   T1041— Exfiltration Over C2 Channel
2. 02
   Submit malicious proposalInitial Access

   T1078— Valid Accounts
3. 03
   Proposal passes, admin role transferredPersistence

   T1098— Account Manipulation
4. 04
   Repay loan same txImpact

   W3-FLASH-LOAN— Flash Loan Exploit
5. 05
   Flash loan governance tokensImpact

   W3-FLASH-LOAN— Flash Loan Exploit
6. 06
   Vote yes with borrowed powerPrivilege Escalation

   W3-GOV-TAKEOVER— DAO Governance Takeover

§ References

• T1041Exfiltration Over C2 Channel
• T1078Valid Accounts
• T1098Account Manipulation

§ Frequently asked

What is the "Flash-loan governance attack → DAO admin" attack path?

Voting power = token balance at snapshot. Borrow enormous quantity via flash loan inside the snapshot tx, vote yourself in as admin, repay loan. It chains 6 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Drain treasury / mint tokens / set fees (T1041) — a exfiltration primitive. Assumed environment: target DAO uses single-block snapshot voting (no time-weighted balance, no Compound-style checkpoint delay).

What is the final impact of this kill-chain?

The final step lands on Vote yes with borrowed power (W3-GOV-TAKEOVER), which falls under Privilege Escalation. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques3

  Flash-loan veCRV → capture Curve gauge → emission redirect

  Snapshot voting on Curve gauges uses veCRV balance at a specific block. Borrow large CRV via flash-loan, lock for max veCRV, vote in attacker pool's favour, unlock (or accept the limit) — emissions redirected for the epoch.

• Shared techniques2

  Vesting beneficiary replace → silently drain stream

  Bug in a custom vesting contract allows anyone to call setBeneficiary on existing schedules. Replace beneficiary with attacker address; legitimate token stream now flows to attacker until released funds are noticed.

• Shared techniques2

  Mass SMS phish → Okta-style portal → SaaS sprawl (0ktapus)

  Wide SMS phishing campaign targeting employees of ~130 organisations with a single phishlet that captures Okta credentials + push approval. Mass automated logins to Twilio, MailChimp, DoorDash et al.

• Shared techniques2

  Apple Pay Express Transit relay → high-value contactless fraud

  Specific configuration (Express Transit + Visa) allowed contactless transactions over £1k without unlock or per-tx auth. Two devices relayed the wallet from victim's pocket to a real terminal.

• Shared techniques2

  Vish helpdesk → Okta MFA reset → admin → ransomware (MGM-class)

  Identify an Okta admin via LinkedIn. Vish the helpdesk pretending to be that admin, get MFA reset. Sign in, plant attacker MFA factor, then push policy changes that disable MFA for chosen apps before mass-deploying ransomware.

• Shared techniques2

  Insider admin panel coercion → mass account takeover (Twitter 2020)

  Identify employees with access to an internal admin panel. SE / coerce one to use the panel to change target accounts' email + 2FA, then take them over.