Detailed Instructions

Begin by creating a comprehensive inventory of all on-chain governance parameters and privileged functions. This includes treasury control, fee adjustments, and contract upgrades. For each asset, note its location (e.g., Gnosis Safe at 0x...) and the quorum required to move it. Analyze the proposal lifecycle, from submission to execution, identifying time delays like timelocks which act as a critical defense. Use a block explorer to trace all calls from the governance contract (e.g., 0x5a6A4D54456819380173272A5E8E9B9904BdF41B for MakerDAO's Chief). Document every function signature and the contracts they target.

• Sub-step 1: Use Etherscan's "Read Contract" tab to list all owner() or governance() addresses for core contracts.
• Sub-step 2: Trace treasury fund flows by reviewing transactions from the governance multi-sig wallet.
• Sub-step 3: Review the governance contract code for any emergency functions that bypass standard delays.

solidityCopy
// Example: Checking a timelock delay in a Governor contract
uint256 public delay = timelock.getMinDelay();
require(delay >= 3 days, "Timelock delay insufficient");

Tip: Use a tool like Tenderly's simulation to model the impact of a malicious proposal passing.

Detailed Instructions

Quantify the voting power concentration by analyzing the on-chain distribution of the governance token. Calculate the Gini coefficient or use the Herfindahl-Hirschman Index (HHI) to measure centralization risk. A score above 0.25 (HHI > 2500) indicates high concentration. Examine delegation data from snapshot.org or directly from the governance contract's getVotes function. Identify large delegates ("whales") and delegation apathy, where a large portion of tokens are not actively delegated or voted. Check if delegation is fluid or locked, as locked votes (e.g., in ve-token models) reduce attack agility but increase the value of compromising a single key.

• Sub-step 1: Query the token contract's balanceOf for the top 100 addresses using Dune Analytics.
• Sub-step 2: Calculate the percentage of circulating supply required to meet the proposal quorum (e.g., 4% of UNI).
• Sub-step 3: Review Snapshot space data to see the historical voter turnout for passed proposals.

javascriptCopy
// Example Dune query snippet for token concentration
SELECT
    holder_address,
    SUM(amount) as balance,
    SUM(SUM(amount)) OVER () as total_supply
FROM erc20_ethereum.evt_Transfer
WHERE contract_address = '0x1f9840a85d5af5bf1d1762f925bdaddc4201f984' -- UNI
GROUP BY 1
ORDER BY 2 DESC
LIMIT 10;

Tip: Pay special attention to tokens held by CEXs, as they often do not vote, effectively lowering the active quorum.

Detailed Instructions

Scrutinize the governance module's code (e.g., OpenZeppelin's Governor) for configurable security parameters. The most critical is the timelock delay between a proposal's passage and its execution; a minimum of 48-72 hours is recommended for community reaction. Check for the existence and scope of a veto guardian or security council—evaluate if their power is limited (e.g., can only veto, not propose) and if their keys are well-secured. Analyze the proposal threshold, ensuring it's high enough to prevent spam but not so high it centralizes proposal power. Verify that execution is atomic and cannot be front-run, and that execute functions have reentrancy guards.

• Sub-step 1: Review the TimelockController contract for the minDelay and PROPOSER_ROLE assignments.
• Sub-step 2: Check if the governor contract has a _setVetoer function and identify the current vetoer address.
• Sub-step 3: Simulate a malicious proposal using Foundry's forge to test if defenses trigger correctly.

solidityCopy
// Example: Inspecting a Governor contract's settings
interface IGovernor {
    function votingDelay() external view returns (uint256); // blocks before voting starts
    function votingPeriod() external view returns (uint256); // blocks voting is active
    function proposalThreshold() external view returns (uint256); // tokens needed to propose
}

Tip: A short voting period (e.g., 24 hours) combined with low turnout is a major risk for surprise attacks.

Detailed Instructions

Construct and run simulations for concrete governance attack scenarios. The primary model is the treasury drain, where an attacker passes a proposal to transfer all assets. Calculate the Maximum Probable Loss (MPL) by summing the value of all assets in governance-controlled contracts. Model a parameter manipulation attack, such as setting fees to 100% or reducing collateral factors to zero in a lending protocol, estimating the value that could be extracted from users before a fix. Use a flash loan attack simulation to see if an attacker can borrow enough tokens to meet a proposal threshold, pass a malicious vote, execute, and repay within a single block using a custom contract.

• Sub-step 1: Use DeFi Llama to get the current USD value of the protocol's treasury holdings.
• Sub-step 2: Write a Foundry test that impersonates a whale, creates a malicious proposal, and passes it.
• Sub-step 3: Calculate the cost of attack: (Tokens needed for quorum) * (Market Price) + gas costs.

solidityCopy
// Pseudo-code for a flash loan attack simulation in Foundry
function testFlashLoanGovernanceAttack() public {
    // 1. Take flash loan of enough GOV tokens to meet proposal threshold
    // 2. Submit proposal to drain treasury to attacker's address
    // 3. Vote with the borrowed tokens
    // 4. Warp time to end of voting period and execute
    // 5. Repay flash loan with a portion of stolen funds
    // Assert: Attacker's ETH balance increases substantially
}

Tip: The most dangerous attacks are those that are not immediately obvious, like changing the oracle address to a malicious one.

Detailed Instructions

Benchmark your protocol's risk score against similar DeFi projects. Review publicly available audits and risk assessments from firms like Gauntlet or Chaos Labs. Translate your technical findings into concrete insurance parameters. Determine the appropriate coverage limit, which should align with your calculated Maximum Probable Loss from treasury and parameter attacks. Define the waiting period (e.g., 14 days), which should exceed your timelock delay to allow for community response. Specify exclusions, such as attacks originating from compromised private keys of existing multi-sig signers. Prepare documentation for insurers, including your governance contract addresses, timelock details, and historical voter turnout data.

• Sub-step 1: Collect governance security details from 3-5 competing protocols (e.g., Aave, Compound, Lido) for comparison.
• Sub-step 2: Based on your stress test, propose a coverage limit (e.g., 80% of treasury value up to $50M).
• Sub-step 3: Draft a clear list of exclusions for the insurance policy wording.

javascriptCopy
// Example structure for an insurance coverage proposal
const governanceCoverageProposal = {
  protocol: "YourProtocol v2",
  coverageLimit: "50000000", // USD
  waitingPeriod: 1209600, // seconds (14 days)
  coveredAddresses: ["0x...timelock", "0x...governance"],
  keyExclusion: "Losses from theft of private keys for existing signers."
};

Tip: Insurers will heavily discount protocols with low voter turnout or highly concentrated token distribution, leading to higher premiums.

Detailed Instructions

Evaluate the total value locked (TVL) in protocols where you hold governance tokens or have deposited funds. Focus on protocols with significant treasury control or upgradeable contracts. Calculate the potential loss from a malicious proposal, such as a treasury drain or a change to fee parameters. Consider the attack surface, including the governance delay, proposal threshold, and voter apathy.

• Sub-step 1: List all DeFi protocols where you hold governance tokens (e.g., UNI, COMP, AAVE).
• Sub-step 2: Review each protocol's governance documentation to identify executable actions via proposals.
• Sub-step 3: Estimate the maximum financial impact of a worst-case proposal passing and executing.

Tip: Use on-chain analytics tools like Dune Analytics to monitor proposal activity and historical voting patterns for context.

Detailed Instructions

Research providers like Nexus Mutual, Uno Re, or InsurAce that offer governance attack coverage. Compare policy terms, focusing on the covered perils, which should explicitly include "Governance Attack." Scrutinize the exclusions, such as attacks resulting from wallet compromise or bugs in the insurance smart contract itself. Verify the policy's sum assured (coverage limit) and premium cost, which is typically a percentage of the covered amount paid annually.

• Sub-step 1: Visit provider dashboards and review their active policy wordings for governance risk.
• Sub-step 2: Check the claims assessment process and the reputation of the claims assessors.
• Sub-step 3: Ensure the provider's capital pool is sufficiently funded to cover potential large-scale events.

javascriptCopy
// Example: Checking a provider's capital pool on-chain (conceptual)
const capitalPoolAddress = '0x...';
const poolBalance = await ethers.provider.getBalance(capitalPoolAddress);
console.log(`Available Capital: ${ethers.utils.formatEther(poolBalance)} ETH`);

Tip: Prioritize providers with a proven track record of paying out valid claims.

Detailed Instructions

Connect your Web3 wallet (e.g., MetaMask) to the insurance provider's dApp. Navigate to the purchase interface and select "Governance Attack" as the cover type. You will need to specify the cover amount in ETH or stablecoins, the cover period (e.g., 90 days), and the protocol address you wish to insure against. The contract will calculate the premium based on these parameters and the protocol's risk assessment. You must approve the premium token spend and then execute the purchaseCover transaction.

• Sub-step 1: Input the exact smart contract address of the protocol you are insuring (e.g., Aave's LendingPool address).
• Sub-step 2: Approve the ERC-20 token transfer for the premium amount to the insurance contract.
• Sub-step 3: Call the purchase function, review the gas estimate, and confirm the transaction.

solidityCopy
// Simplified example of a purchase call structure
interface ICover {
    function purchaseCover(
        address _coverAsset,
        uint256 _coverAmount,
        uint256 _coverPeriod,
        address _protocolAddress
    ) external payable;
}

Tip: Always verify you are interacting with the official, audited contract addresses listed on the provider's documentation.

Detailed Instructions

After purchase, your policy is represented as an NFT (Cover Note) or a record in the provider's smart contract. Save the transaction hash and policy ID. Monitor the insured protocol's governance forum and snapshot pages for any proposals. If a malicious proposal passes and causes a verifiable financial loss, you must initiate a claim within the stipulated period. This involves submitting on-chain proof, such as transaction hashes showing the loss and links to the malicious proposal. The claim will be evaluated by the provider's decentralized claims assessment process.

• Sub-step 1: Bookmark the policy details page on the provider's dApp using your connected wallet.
• Sub-step 2: Set up alerts for new governance proposals on the insured protocol using tools like Tally or Boardroom.
• Sub-step 3: If a loss occurs, immediately gather all relevant on-chain data and proposal links to support your claim.

Tip: Understand the waiting period (typically 7-14 days) after a claim is filed before assessment begins, as defined in your policy terms.