defirisk.co
rubric v1.7.0

Flash-loanable voting weight

A governance & admin factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Critical factor. A Red on this factor alone is sufficient to gate a protocol to grade D or F regardless of other category rollups.

Methodology how we score #

**What this measures** This factor tests whether a protocol's governance system allows current token balance — rather than a snapshotted or time-locked balance — to determine voting weight. When voting power is calculated at the moment of the vote using a transferable token with no minimum lock period and no historical-balance checkpoint, any holder of a flash loan facility can borrow enough tokens to achieve quorum, pass a malicious proposal, and repay the loan within a single transaction.

**Why it matters** Flash loan governance attacks represent one of the most structurally dangerous attack patterns in DeFi because they convert a temporary capital position into a permanent governance outcome. A timelock "doesn't stop transactions from being confirmed — it simply broadcasts the action prior to its execution," per OpenZeppelin, meaning that even a timelock can be circumvented if voting power is not locked before the proposal is cast. Beanstalk's $182M loss in 2022 remains the canonical case: the attacker borrowed governance tokens via a flash loan, passed a malicious proposal granting themselves full treasury access, and executed the drain — all within one Ethereum block. The attack was architecturally certain once the protocol chose spot-balance voting with no lock requirement.

**Green / Yellow / Red** Green is assigned when governance voting power is determined by a balance snapshot taken at a block prior to proposal submission (ERC20Votes/Compound-style checkpoint), or when tokens must be locked for a minimum period before counting toward quorum. Yellow covers protocols that use checkpoints but with a window of less than one block, or where checkpointing can be bypassed via delegation. Red is assigned when voting weight is determined by current token balance at the time of the vote, with no lock, no snapshot, and a transferable governance token accessible via flash loans.

**Common gray cases** This factor is grayed when governance is off-chain (Snapshot-only) with no on-chain execution, or when the governance token is not listed on any venue that offers flash loans at meaningful depth.

**Notable historical examples** - **Sonne Finance** ($20M, 2024): Permissionless governance execution window with insufficient delay enabled attacker to front-run market activation after proposal passed. - **Radiant Capital (1st incident)** ($4.5M, 2024): Governance-activated empty market with a 6-second execution window exploited via front-running.

**★ Critical factor** This factor alone is sufficient to trigger a D or F grade under rubric v1.7.0 — a single red assessment here overrides all other category scores. Flash-loanable voting weight eliminates the economic cost of a governance takeover, reducing the attack to a single-block transaction regardless of the protocol's TVL or audit history.

Measurement what to look for #

Determine whether governance voting power is a function of current token balance of a transferable token with no lock or checkpoint, making it flash-loan susceptible.

Data & output #

Data source
Governance contract source inspection (Etherscan-verified): check for `balanceOf` vs `getPriorVotes`/`getVotes` with checkpoint; check if governance token is flash-loan enabled on major venues
Output format
Green / Yellow / Red · critical gate active
Evidence artifact
Governance contract address + vote-weight function source excerpt + flash-loan availability check on Aave/Uniswap/Balancer
Confidence signal
green = voting uses checkpointed balance or locked token; red = voting uses spot `balanceOf` of a flash-loanable token; gray = no on-chain governance

Scored protocols 80 carry this factor #

Protocol RD-F-036
Aave v3 ethereum green Across Protocol ethereum gray Aerodrome Finance base green Axelar Network ethereum green Babylon Protocol bitcoin green Balancer (v2 + v3) ethereum green Beefy Finance ethereum green BENQI avalanche not_applicable BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum not_applicable Cap (cUSD / stcUSD) ethereum not_applicable Centrifuge ethereum yellow Chainlink CCIP ethereum not_applicable Circle USYC binance not_applicable Compound V3 (Comet) ethereum green Concrete ethereum not_applicable Convex Finance ethereum green crvUSD (Curve Stablecoin) ethereum green Curve Finance ethereum green deBridge ethereum gray Dolomite ethereum gray dYdX v4 (dYdX Chain) dydx green EigenLayer ethereum green Ethena ethereum yellow ether.fi ethereum green Euler V2 ethereum yellow Falcon Finance ethereum green Fluid ethereum green Frax Finance ethereum green GMX v2 (GMX Synthetics) arbitrum green Hyperlane ethereum not_applicable Hyperliquid arbitrum yellow Jito solana green Jupiter solana yellow Jupiter Perpetual Exchange solana yellow JustLend DAO tron green Kamino Lend solana not_applicable Kinetiq hyperliquid not_applicable Lido ethereum green Liquid Collective (LsETH) ethereum not_applicable Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc yellow Lombard Finance ethereum green M^0 ethereum green Maple Finance ethereum yellow Marinade Finance solana green Meteora solana green mETH Protocol ethereum green Midas ethereum not_applicable Morpho V1 (Morpho Blue + MetaMorpho) ethereum yellow Multipli ethereum not_applicable Ondo Finance ethereum green OpenEden ethereum not_applicable Orca solana yellow PancakeSwap bsc red Pendle Finance ethereum yellow Polymarket polygon not_applicable QuickSwap polygon red Raydium solana not_applicable Rocket Pool ethereum green Sanctum solana green Save (formerly Solend) solana yellow Sky Lending (formerly MakerDAO) ethereum green Spark Protocol ethereum green Spiko stellar not_applicable Stake DAO ethereum green StakeWise v3 ethereum red Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid not_applicable SUNSwap (sun.io) tron green Superstate ethereum not_applicable Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum green Symbiotic ethereum not_applicable Synapse Protocol ethereum yellow Uniswap (v2 + v3) ethereum green USDD (Decentralized USD) tron not_applicable Usual (USD0 / bUSD0 / USUAL) ethereum green Veda (BoringVault) ethereum not_applicable Venus Protocol bsc green Wormhole ethereum gray Yearn Finance ethereum green
3 red · 13 yellow · 38 green

Linked hacks 2 historical incidents #

relatedSonne Finance — Compound V2 empty-market donation attack — permissionless governance execution + exchange rate manipulation2024-05-14 · $20M · Compound V2 empty-market donation attack — permissionless governance execution + exchange rate manipulation · ★ Flash-loanable voting weight — adjacent [via cross-hack: Factor 31: Permissionless Governance Execution Window]
relatedRadiant Capital (1st incident) — Compound V2 / Aave V2 empty-market rounding error — new USDC market with totalSupply = 02024-01-02 · $5M · Compound V2 / Aave V2 empty-market rounding error — new USDC market with totalSupply = 0 · ★ Flash-loanable voting weight — adjacent [via cross-hack: Factor 31: Permissionless Governance Execution Window]
rubric_version v1.7.0 factor RD-F-036 category 2 carried 80 critical yes