Skip to content
Last updated: March 11, 2025

SCWE-015: Poor Governance Documentation

Stable Version v0.0.1

This content is in the version-(v0.0.1) and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Relationships

Description

Poor governance documentation refers to the lack of clear, transparent, and publicly accessible records regarding a smart contract system’s decision-making processes, upgrade mechanisms, and role-based permissions. Without proper documentation, users, developers, and auditors struggle to understand the governance model, leading to reduced trust, misconfigurations, and potential security vulnerabilities.

Key risks associated with poor governance documentation: - Unclear Decision-Making Process: Users may not understand how governance proposals are initiated, approved, or executed. - Hidden Centralization Risks: Critical governance powers may be concentrated in a small group without public awareness. - Lack of Upgradeability Transparency: If upgrade procedures are not well-documented, malicious or unintended changes may go unnoticed. - Poor Incident Response Handling: Without clear emergency protocols, governance failures can lead to slow or inadequate responses to attacks.

Remediation

  • Comprehensive Governance Documentation: Clearly outline roles, permissions, voting mechanisms, and upgradeability in technical and non-technical formats.
  • Public Governance Reports: Regularly publish governance decisions, major votes, and protocol updates in a transparent manner.
  • Well-Defined Emergency Procedures: Establish and document response plans for governance failures, protocol attacks, or keyholder compromises.
  • On-Chain Governance Visibility: Ensure that governance smart contracts expose relevant functions for transparency and accountability.
  • Third-Party Audits of Governance Mechanisms: Periodically review governance documentation and processes through independent audits.

Examples

Unlike code vulnerabilities, poor governance documentation is a process failure rather than a direct coding flaw. However, its consequences can be illustrated with real-world governance failures:

Example: Unclear Upgradeability Policy Leads to a Security Breach

A DeFi protocol allows smart contract upgrades but fails to document the governance process for approving upgrades. A small group of developers, holding majority control over the governance multisig, pushes an unreviewed upgrade that introduces a critical vulnerability, resulting in a protocol exploit.

Fixed: Ensuring Transparent Upgradeability Policies

Protocols should establish a clear and documented upgradeability framework outlining who can propose, review, and approve upgrades. Implementing timelocks, community review periods, and independent security audits ensures upgrades are thoroughly vetted before execution. Additionally, maintaining an on-chain governance audit log enhances accountability and prevents unauthorized changes.

Example: Lack of Transparency in Governance Voting

A DAO implements an opaque governance process, where voting power is controlled by a few insiders without a clear framework on how votes are counted or executed. Community members later discover that critical protocol changes were pushed without public discussion, leading to governance disputes and loss of user trust.

Enhancing Transparency in Governance Voting

Governance processes should be transparent, well-documented, and resistant to centralization risks to maintain trust. Clearly defining voting mechanisms, proposal review procedures, and decision-making criteria prevents manipulation and governance capture. Public governance discussions, decentralized voting structures, and immutable records of voting outcomes further enhance credibility and community trust.