The $1,800 Hostile Takeover: How Governance Attacks Are the Cheapest Exploit in DeFi — And 7 Defense Patterns That Actually Work

An attacker spent $1,800 on governance tokens and nearly walked away with $1.08 million in user funds. No flash loan. No smart contract bug. No zero-day. Just buying tokens on the open market and submitting a proposal. This was Moonwell on Moonriver, March 2026. The attacker acquired 40 million MFAM tokens — enough to meet quorum — and proposed transferring admin control of seven lending markets, the comptroller, and the price oracle to their own address. The entire attack setup took 11 minutes. Moonwell survived because they had a "Break Glass Guardian" — a 2-of-3 emergency multisig that could veto the proposal. Most protocols don't have this. And the ones that do often implement it wrong. Meanwhile, GreenField DAO wasn't as lucky. In April 2025, an attacker flash-borrowed 9 million GOV tokens, passed a malicious proposal, and drained $31 million from the treasury — all within a single block. Beanstalk's $182 million governance exploit in 2022 used the same pattern with over $1 billio