Defining Governance Risk

Governance risk for a DeFi protocol refers to the vulnerabilities arising from the mechanisms and processes that govern decision-making, rule changes, and conflict resolution that could threaten the long-term sustainability and integrity of the protocol.

Specifically, the key governance risks include:

Voter apathy: Lack of participation in governance proposals and elections by token holders leads to low voter turnout. This raises the risk of vote buying, governance attacks, and unrepresentative changes being made.

Example:

A proposal to migrate an existing lending protocol to a layer 2 solution to reduce fees has low turnout of only 5% of token holders participating. Lack of community input raises risks of capture by special interests.

Plutocracies and whales: Governance tokens granted on a proportional basis can concentrate voting power in the hands of a few large token holders ("whales"). This allows a small set of token holders to control decisions.

Example: 

The top 1% DAO token holders have more than 50% of voting power due to large token allocations from the initial distribution. They collude to vote down a proposal raising withdrawal fees which hurts their profits.

Short-term priorities: Governance participants may prioritize short-term profits over long-term protocol stability and security. For example, blocking bug bounties or avoiding investing in infrastructure.

Example: 

During high farming yields and profits, a proposal to divert funds from emissions to audits and bug bounties is rejected because it may lower staking rewards in the short term.

Fork execution: Faulty code execution, coordination issues, or chain splits during fork upgrades of the protocol's software can disrupt operations.

Example:

A protocol fork to expand cross-chain bridges leads to a temporary chain split with two variant token versions which brings operations to a halt until resolved manually by core developers.

Centralization creep: Gradually increasing centralization/reduced decentralization of development teams, oracles, bridges or other external ecosystem dependencies poses risks of single points of failure.

Example: 

Most price oracles relied on by a lending protocol get acquired by a single crypto firm. This poses infrastructure centralization risks as oracle failures could cripple the entire lending protocol.

Custodial Risks

Key management risks - ronin network, harmony bridge

governance risk - beanstalk 181M