Governance Attack Vectors: How Crypto Projects Get Hacked Through Their Own Rules

When a crypto project runs on governance, a system where token holders vote on changes to the protocol. Also known as decentralized governance, it’s meant to remove central control—but it’s also the weakest link in many projects. If the voting rules are sloppy, someone with enough tokens can change the rules to steal everything. This isn’t theory. It’s happened over and over.

Smart contract exploits, flaws in the code that governs how tokens and votes work. Also known as on-chain manipulation, are often the tool used in these attacks. Attackers don’t break into wallets—they use the project’s own voting system. One famous case? The Poly Network hack in 2021, where a voter changed the treasury address using a flaw in the governance contract. Another? The $60M Harvest Finance exploit, where a single wallet pushed through a malicious proposal because no quorum or time delay was enforced. These aren’t random glitches. They’re predictable failures of bad design.

DAO hacks, attacks targeting decentralized autonomous organizations. Also known as governance takeovers, happen when control shifts from the community to a single actor. The most common trigger? Low voter turnout. If only 5% of token holders vote, one whale can pass any proposal—even one that drains the treasury or gives themselves unlimited minting rights. Projects like Kleros and SushiSwap have faced these risks. The fix? Time locks, higher quorum requirements, and multi-sig fallbacks. But most new projects skip these because they’re ‘too complex.’ That’s how you get hacked.

Look at the posts below. You’ll see real examples of what happens when governance is ignored. From the governance attack vectors in fake airdrops like DeHero and ZWZ, to the lack of oversight in exchanges like Slex and Loop Finance, the pattern is clear: if no one’s watching the rules, someone will break them. Some projects have strong on-chain safeguards. Others? They’re just code with a nice logo. This collection shows you which ones to trust—and which ones are walking into a trap.