Learning from Motoko Basic DAO – What Are the Security Flaws?

bobekas · August 4, 2025, 7:13pm

Hey all - diving into DAO development in Motoko, and naturally stumbled on DFINITY’s old Basic DAO example.

It’s now archived with a big red flag about known security issues. I get that it was always educational, but I want to learn why it’s insecure.

…please share! Would be useful not only for me, but others trying to implement DAOs safely on ICP.

Vivienne · August 5, 2025, 12:33pm

I doubt anyone has a complete list. While there are security issues for sure, I think the warning is there mostly to say that this is not fleshed out production code. There are a lot of things (e.g. logging) that I would add before calling this a serious project. Here’s a couple things that look suspicious to me just scrolling through:

Using system func heartbeat instead of timers
Tokens can be used to vote for the same user if tokens are transferred between voting attempts
Knowing the cycles ledger, I see relatively little error handling. Not saying it’s wrong, but I would have expected more.
Why is a function (update_system_params) that should only be callable bky the canister itself public shared?
execute_proposal can get unupgradeable if a downstrream canister does not respond
no pagination in list_proposals

Topic		Replies	Views
The Dfinity Divide: Hype, Reality, and Silenced Forums Threads DFINITY	13	326	March 17, 2025
Stateless DAO - open social platform for cooperation Developer Grant Proposals	6	485	April 15, 2025
Should I start building yet? What are others doing? Developers	7	1219	February 26, 2021
Completed: ICDevs.org - Bounty #17 - A DAO for Cycles - $10,000 - ht: cycle_dao Bounties & RFPs Discussing	44	2836	September 5, 2022
Security Fix in Motoko (dfx 0.24.3) Motoko	0	74	December 9, 2024

Learning from Motoko Basic DAO – What Are the Security Flaws?

Related topics