DAO Maker meets their maker.
Less than a month ago they lost $7M.
Now they’ve lost another $4M.
We didn’t cover the first exploit, but if you get rekt on repeat then we’ve got to say something.
Credit: Mudit Gupta
DAOMaker’s init() function was left vulnerable, allowing the attacker to reinitialise 4 token contracts with malicious data. Then, the emergencyExit() function was used to withdraw the funds from each.
The four contracts and the withdrawal transactions are listed below:
After the exploit and swap routine, the attacker then made init() calls on two more contracts.
Both contracts, however, had already been called by a new address, whose transaction history shows a series of init()-emergencyExit() calls, extracting millions of SHO, as well as ALPHR and LSS.
The final four transactions in this address show the extracted tokens being returned, then an ownership transfer; maybe some belated whitehat behaviour, or the devs trying to save what was left.
The attacker went on to sell each token:
Ternoa: 13.5M CAPS for 378,189 DAI on 1inch
Coinspaid: 5M CPD for 158,216 DAI on 1inch
DeRace: 1.44M DERC for 997,833 DAI on 1inch
Price effects (at time of writing).
Ternoa CAPS dropped to -45%, now -11%
CoinsPaid CPD dropped to -60% and now -25%.
DeRace DERC dropped to -75% initially, now trading around -25%,
Showcase SHO trading at approx. -75%
The prices of all tokens involved have recovered somewhat since the exploit, although not as much as claimed by DAO Maker.
The DAO Maker source code is not public. Was it exposed to an outsider, or is there an insider who should not be trusted?
Live footage of a DAO Maker developer getting rekt by their own protocol.
As Mr Gupta tweeted on Twitter;
DaoMaker claimed that they had audits from 3 firms but looking at learn.daomaker.com/audits, 2 of the audits seem to be for unrelated contracts while the third one from @certik_io points to a dead link.
We await clarification from Certik.
Even if all three audits were real and relevant, no hacked protocol should try and pass the blame to their auditors.
Good security has to come from the team, not outsourced to an audit company.
Every step has to be perfect.
Hiring, spec design, code reviews, testing, fuzzing, formal verification, bug bounty program, incident handling, the list goes on…
But perhaps it’s too late for DAO Maker, who will just have to make dao and mend.
REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.
donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C
REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.
you might also like...
Zero pity. The notorious MEV bot known as 0xbad has fallen on hard times, just like the rest of us. After 75 days of exploiting value from unexpecting users, this mempool menace backfired on its owner, creating a beautiful display of on-chain karma.
Wintermute have lost over $160M to their second incident this summer. Using a vanity address for "gas savings" has cost them dearly. Last time, funds were returned, will Wintermute get lucky again?
The billion that wasn't. Tornado sanctions didn’t deter these Polkadot thieves, who tried to steal ~$1.3B in aUSD from Acala Network.