Fake DAO governance flash-loan vote-hijack lure — "Emergency governance proposal P-487 — vote within 6h or treasury auto-drain triggers" via fake Snapshot / Tally / Aragon governance UI harvests delegate-signature for blank-check vote casting. 2026 DAO governance attacks: flash-loan vote-buying + Snapshot/Tally emergency proposals + on-chain timelock-bypass exploits give attackers a credible pretext. Real Snapshot / Tally / Aragon governance flows go through the protocol's verified UI on snapshot.org / snapshot.box / tally.xyz / aragon.org / commonwealth.im / boardroom.io, never via inbound email link demanding emergency-proposal vote signature within 6 hours. Crypto-drainer + signature-fatigue cluster; on-chain-governance scope. Source: GC1 R9 multiagent council P1 (S4 crypto specialist).

Fake DAO governance flash-loan vote-hijack lure targeting DAO delegates, governance-token holders, and treasury-multisig signers. The phish narrative arrives as: "Emergency governance proposal P-487 — vote within 6h or treasury auto-drain triggers, sign here to delegate," or "Snapshot emergency proposal: flash-loan attack imminent on protocol treasury — connect wallet to vote in the next 6 hours or quorum fails and the timelock-bypass exploit triggers." 2026 DAO governance attacks: flash-loan vote-buying (an attacker takes a same-block flash loan of a governance token, votes on a malicious proposal, then repays the loan in the same transaction — exploiting Snapshot / Tally / Aragon governance models that count vote-time token balance) plus Snapshot/Tally emergency proposals plus on-chain timelock-bypass exploits give attackers a credible pretext drawing on real prior incidents (Beanstalk 2022 governance attack, MakerDAO 2020 flash-loan vote-buying near-miss, Compound governance proposal-89 2022). Lookalike Snapshot / Tally / Aragon UIs harvest delegate-signature for blank-check vote-casting (the signed delegation off-chain message lets the attacker cast votes for the entire delegated voting power on any future proposal) and Permit2-style approvals on governance tokens (drainer can transfer the user's governance-token balance to a sniper-wallet that flash-loans against it on the next attack-block). Real Snapshot / Tally / Aragon governance flows go through the protocol's verified UI on snapshot.org / snapshot.box / tally.xyz / aragon.org / commonwealth.im / boardroom.io with In-Reply-To threading from the DAO's existing communication channel (Discord-relay or DAO-newsletter), never via inbound email link demanding emergency-proposal vote signature within 6 hours. Crypto-drainer + signature-fatigue cluster; on-chain-governance scope. Fires when body references DAO / governance proposal-vote / snapshot.org / Tally / Aragon / onchain vote / delegate / timelock / emergency proposal / treasury / flash loan / quorum AND contains vote / sign / delegate / 6-hours / emergency / urgent / drain / hijack / connect-wallet / action-required urgency. Excludes snapshot.org, snapshot.box, tally.xyz, aragon.org, commonwealth.im, boardroom.io. Auto-classified as danger via the `-lure` suffix. Source: GC1 R9 multi-agent council P1 (S4 crypto specialist).