On May 5, 2025, the Internet Computer Protocol (ICP) network found itself at the centre of a significant governance controversy. BoomDAO, a decentralised autonomous organisation (DAO) within the ICP ecosystem, became the focus of an exploit that saw the minting of billions of tokens and the subsequent collapse of their market value. The incident has raised serious concerns about the security and effectiveness of the Service Nervous System (SNS) framework, which governs various dapps within the ICP ecosystem. It also raises broader questions about decentralised governance, potential vulnerabilities, and the ethics of those overseeing blockchain networks.
BoomDAO is part of the SNS framework, a system designed to decentralise governance by allowing token holders to make critical decisions about dapps. These decisions include minting tokens, altering application parameters, and setting governance structures. The governance process is designed to ensure that decisions are made by a broad community, rather than by a small group of stakeholders. However, the events of May 5 reveal how the governance framework can be manipulated by those with intimate knowledge of the system, undermining the very decentralisation it seeks to uphold.
The incident began with a proposal put forward by BoomDAO to mint 2.5 billion new BOOM tokens. The proposal was passed with an overwhelming 100% approval but only 2,022 voting power cast. This number, much lower than the total possible, suggested that a small group—potentially a single individual—held enough power to push through a decision that would have significant consequences for the market. Once the proposal was approved, the newly minted tokens were dumped onto the market, causing the BOOM token price to plummet and leaving investors with heavy losses.
The exploit was made possible by a flaw in the governance process. Proposals in the SNS framework update to their latest status after the voting period ends, allowing for last-minute changes to be made. In this case, Adam, a token holder who had acquired a significant portion of BOOM tokens, briefly held enough voting power to influence the governance process. However, when the voting period for the proposal ended, control of the DAO reverted to the Boom team. This reversion enabled the Boom team to pass the minting proposal with a much smaller voting power than would have been required under normal circumstances.
Additionally, the voting process was further compromised when neurons, which are voting units within the SNS framework, were disabled, preventing Adam and other legitimate token holders from participating in the decision-making process. This manipulation of the system highlights how the governance framework can be undermined by individuals with a deep understanding of the technology, as well as by those who have access to the system’s core mechanics.
At the centre of the controversy is Wenzel, a figure linked to Synapse and CodeGov, two groups funded by DFINITY, the organisation behind ICP. These groups were tasked with reviewing and improving the governance systems for the NNS and SNS frameworks. Wenzel’s understanding of the governance process appears to have given him an advantage in exploiting the system. The actions of Wenzel and his associated groups raise questions about conflicts of interest, particularly given that they were entrusted with ensuring the integrity of the very systems they appear to have manipulated.
While Adam’s actions were entirely legitimate according to the rules of the SNS framework, they were ultimately thwarted by the reversion of control to the Boom team and the disabling of neurons. This incident raises critical questions about the fairness and security of the SNS governance model. If a small group can override the actions of legitimate token holders simply by manipulating the system, then the decentralisation that the ICP ecosystem is supposed to offer is called into question.
The governance vulnerability exposed by the BoomDAO incident is not isolated. It highlights fundamental flaws in the SNS framework itself, flaws that allow those with knowledge of the system’s inner workings to exploit its weaknesses. The low threshold for passing significant proposals, combined with the ability to disable voting rights, creates an environment where governance can be easily manipulated by a select few. This threatens the fairness and legitimacy of the entire decentralised system.
The role of Synapse and CodeGov in the incident is particularly concerning. These groups were given the responsibility of reviewing and improving the governance systems for ICP. However, their apparent use of this position to manipulate the governance process suggests that the very entities tasked with protecting the integrity of the system may be the ones undermining it. The fact that these groups have access to the system’s code and governance framework creates a potential conflict of interest, one that could lead to further exploits if not addressed.
The BoomDAO incident raises broader questions about the future of decentralised governance within the ICP ecosystem. While decentralisation is intended to prevent the concentration of power in the hands of a few, the exploit demonstrated that those with a deep understanding of the system can easily circumvent the rules. This presents a significant challenge for the ICP ecosystem, as it must balance the ideals of decentralisation with the need for robust protections against insider manipulation.
Despite efforts to improve governance—such as the introduction of higher voting thresholds for critical proposals in late 2023—the incident reveals that vulnerabilities remain. If the governance framework cannot be trusted to function fairly and securely, then the entire concept of decentralisation is at risk. The exploit highlights the tension between decentralisation and the need for safeguards to protect the system from manipulation.
This incident should serve as a wake-up call for the ICP community. The current state of decentralised governance leaves the system open to exploitation by those who understand its mechanics. To restore confidence in the ICP ecosystem, the community must take action to address the vulnerabilities exposed by the BoomDAO incident. Reforms to the SNS framework, such as higher voting thresholds, stricter controls on neuron disabling, and better safeguards against insider manipulation, are essential to ensuring that decentralised governance remains secure and trustworthy.
The aftermath of this exploit will have lasting implications for the ICP ecosystem and the broader blockchain space. The events of May 5, 2025, serve as a reminder that decentralised systems must be constantly reviewed and improved to protect against insider threats. The challenge moving forward will be to strike the right balance between decentralisation and security, ensuring that blockchain networks can deliver on their promises without falling prey to manipulation.
