Retroactive Grant for blockful's Security Work

Shutter DAO 0x36 SD 0x36 Proposals
1

Summary

This proposal requests a retroactive payment of $150,000 USDC to blockful for governance security work performed on behalf of Shutter DAO 0x36 between early 2025 and March 2026. This includes vulnerability discovery, responsible disclosure, smart contract development, a third-party smart contract security audit, architecture and design of several solutions, tests and simulation, mitigation coordination, as well as the Anticapture platform integration, and its use monitoring the risk over the period between identification and solution.

The Security Council proposal has been approved and executed. The veto guard and 2-day timelock are now active.

Motivation

In early 2025, blockful identified a critical governance vulnerability in Shutter DAO 0x36: the cost to capture the DAO through governance (approximately $150K to reach quorum) was significantly lower than the treasury value (~$6M in stablecoins at the time), creating a ~45x ROI attack vector. The combination of a 1 SHU proposal threshold, zero voting delay, no timelock, and no proposal rate limiting made this attack both economically rational and operationally feasible.

blockful chose to protect the DAO through a responsible process: private disclosures, monitoring signals of emerging exploitation for more than a year, development of a defense system ready to act in case of emergency before any attacker could, and a coordinated mitigation that neutralized the threat without ever taking or damaging the controls of the Shutter DAO 0x36’s treasury.

This proposal seeks fair compensation for the work delivered.

Scope of Work

Vulnerability Discovery & Disclosure

  • Identified the governance capture vulnerability through the Anticapture framework
  • Mapped the full attack path and validated feasibility through controlled simulation on forked governance contracts
  • Tested token accumulation (2.2M SHU acquired in 3 days, without price impact) to confirm the attack was operationally practical. Since then the token dropped 30%, which makes it even cheaper to execute.
  • Evaluated and discarded a white-hat capture approach due to legal risk and operational complexity
  • Disclosed the risk privately to Shutter community members; following this disclosure, a consolidation of approximately 60 million SHU into a single defense wallet took place, the largest delegation in the DAO

Advisory & Coordination

  • Advisory from security and ecosystem specialists over the engagement period: private disclosures to Shutter community members, conversations with ecosystem-wide participants without naming the DAO, in-person discussions at conferences, and eventual coordination with aligned delegates willing to execute the mitigation
  • Continuous governance monitoring through the Anticapture dashboard throughout the period

Anticapture Platform Integration

  • Integrated Shutter into the Anticapture platform, including infrastructure costs (servers and RPC nodes) and product development to support Shutter-specific governance visualization
  • This integration was built and maintained throughout the engagement to enable continuous monitoring and readiness to defend against abnormal token accumulations
  • Anticapture integration for other DAOs has been priced at $50K–$100K depending on governance structure similarity;

Smart Contract Development

  • Designed and built the SecurityCouncilAzorius guard contract
  • IGuard-compatible with the Azorius governance module, featuring proposal-level and transaction-hash-level veto, multicall batching, ownership rotation, and disabled renounce
  • Full documentation: governance parameters, integrations and addresses, operations runbook, security properties
  • Deployment scripts and verification-focused test suites (unit, lifecycle, invariants)
  • Open source

Third-Party Security Audit

  • blockful reached and secured for a third-party security audit
  • Cyfrin executed the audit to contribute on the preventive action
  • Audit returned only informational findings, all addressed
  • Audit report published in the repository

Emergency Coordination & Execution

  • Coordinated the mitigation with a small group of aligned delegates under operational security constraints
  • Prepared all communication artifacts in advance and released them simultaneously with the proposal submission
  • Managed the full responsible disclosure sequence: private disclosure, fix development, audit, mitigation submission, public disclosure
  • The Security Council proposal passed and was executed successfully. The veto guard and 2-day timelock are now active.

Post-Mitigation: Public Dashboard & Security Advisory

  • Made the Shutter governance dashboard on Anticapture publicly available, giving open access to holders and delegates views, voting power monitoring, activity feeds, and a governance voting interface
  • Published advisory on governance parameter hardening (proposal threshold increase, proposer balance threshold, rate limiting, execution window extension, voting delay)
  • Advising the community on implementation priorities as security and ecosystem specialists
  • Governance parameter hardening proposals are being developed separately and will be scoped independently

Rough estimate of time dedicated from our team on all scope above is around ~400 hours + infrastructure cost.

Specification

  • Payment token: USDC
  • Amount: 150,000 USDC
  • Recipient: blockful (address to be provided for formal on-chain proposal)

Pricing Context

  • This amount reflects market rates for a full governance security engagement from discovery through remediation.
  • It is well below the standard bug bounty in case of a real incident (10% of affected funds, ~$300k in this case).
  • Shutter had no bug bounty program. blockful acted without any guarantee of compensation, investing it’s own resources to prioritize safety.

Resources

Submitted by blockful - governance security for Ethereum.