governance-attack-vectors

# Injectable Skill: Governance Attack Vectors > **Protocol Type Trigger**: `governance` (detected when Governor, Timelock, voting, proposal, quorum, delegate patterns found) > **Inject Into**: Breadth agents, depth-external, depth-edge-case > **Language**: EVM only (Solana has structural mitigations via token locking; Move governance is less standardized) > **Finding prefix**: `[GOV-N]` ## Orchestrator Decomposition Guide When decomposing this skill into depth agent investigation questions, map sections to domains: - Section 1: depth-external (flash loan voting, external token interactions) - Section 2: depth-state-trace (proposal lifecycle state, execution integrity) - Section 3: depth-edge-case (quorum boundaries, threshold edge cases) - Section 4: depth-state-trace (delegation state, vote counting) ## When This Skill Activates Recon detects governance patterns: `Governor`, `TimelockController`, `propose`, `castVote`, `execute`, `queue`, `quorum`, `getVotes`, `delegate`, `votingPower`, or DAO framework imports. --- ## 1. Flash Loan Voting Analysis ### 1a. Vote Power Source Identify how voting power is determined: - Snapshot-based (block number checkpoint) or live balance? - If snapshot: when is the snapshot taken? (proposal creation, vote start, or fixed intervals) - If live balance: can voting power be acquired via flash loan within the voting transaction? ### 1b. Snapshot Manipulation Window If snapshot-based: - Is there a delay between proposal creation and snaps...