A nice coop by Pranav Garimidi, Scott Duke Kominers and Tim Roughgarden: https://a16zcrypto.com/dao-governance-attacks-and-how-to-avoid-them/
From the article:
Many web3 projects embrace permissionless voting using a fungible and tradable native token. Permissionless voting can offer many benefits, from lowering barriers to entry to increasing competition. Token holders can use their tokens to vote on a range of issues—from simple parameter adjustments to the overhaul of the governance process itself. (For a review of DAO governance, see “Lightspeed Democracy.”) But permissionless voting is vulnerable to governance attacks, in which an attacker acquires voting power through legitimate means (e.g., buying tokens on the open market) but uses that voting power to manipulate the protocol for the attacker’s own benefit. These attacks are purely “in-protocol,” which means they can’t be addressed through cryptography. Instead, preventing them requires thoughtful mechanism design. To that end, we’ve developed a framework to help DAOs assess the threat and potentially counter such attacks.
It is an attack which is less prevalent than phishing, but they can be devastating nonetheless (e.g. DAO treasuries getting emptied).