W3-GOV-TAKEOVERPrivilege Escalation

DAO Governance Takeover

Borrow voting tokens via flash loan during a snapshot, propose + vote yourself in as admin, repay loan.

§ Where this technique fits

W3-GOV-TAKEOVER is catalogued under the Privilege Escalation tactic of the offensive-security kill-chain. It appears in 2 approved dossiers in the registry, typically at step 3 on average.

§ Dossiers chaining this technique

Flash-loan veCRV → capture Curve gauge → emission redirect
Snapshot voting on Curve gauges uses veCRV balance at a specific block. Borrow large CRV via flash-loan, lock for max veCRV, vote in attacker pool's favour, unlock (or accept the limit) — emissions redirected for the epoch.
step 3 / 5
Flash-loan governance attack → DAO admin
Voting power = token balance at snapshot. Borrow enormous quantity via flash loan inside the snapshot tx, vote yourself in as admin, repay loan.
step 3 / 6

§ What commonly comes next

01
Exfiltration Over C2 Channel
T1041 · Exfiltration
seen 1×
02
Flash Loan Exploit
W3-FLASH-LOAN · Impact
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

Flash-loan veCRV → capture Curve gauge → emission redirect

Flash-loan governance attack → DAO admin

§ What commonly comes next