DAO Maker meets their maker.
Less than a month ago they lost $7M.
Now they’ve lost another $4M.
We didn’t cover the first exploit, but if you get rekt on repeat then we’ve got to say something.
Credit: Mudit Gupta
DAOMaker’s init() function was left vulnerable, allowing the attacker to reinitialise 4 token contracts with malicious data. Then, the emergencyExit() function was used to withdraw the funds from each.
The four contracts and the withdrawal transactions are listed below:
After the exploit and swap routine, the attacker then made init() calls on two more contracts.
Both contracts, however, had already been called by a new address, whose transaction history shows a series of init()-emergencyExit() calls, extracting millions of SHO, as well as ALPHR and LSS.
The final four transactions in this address show the extracted tokens being returned, then an ownership transfer; maybe some belated whitehat behaviour, or the devs trying to save what was left.
The attacker went on to sell each token:
Ternoa: 13.5M CAPS for 378,189 DAI on 1inch
Coinspaid: 5M CPD for 158,216 DAI on 1inch
DeRace: 1.44M DERC for 997,833 DAI on 1inch
Price effects (at time of writing).
Ternoa CAPS dropped to -45%, now -11%
CoinsPaid CPD dropped to -60% and now -25%.
DeRace DERC dropped to -75% initially, now trading around -25%,
Showcase SHO trading at approx. -75%
The prices of all tokens involved have recovered somewhat since the exploit, although not as much as claimed by DAO Maker.
The DAO Maker source code is not public. Was it exposed to an outsider, or is there an insider who should not be trusted?
Live footage of a DAO Maker developer getting rekt by their own protocol.
As Mr Gupta tweeted on Twitter;
DaoMaker claimed that they had audits from 3 firms but looking at learn.daomaker.com/audits, 2 of the audits seem to be for unrelated contracts while the third one from @certik_io points to a dead link.
We await clarification from Certik.
Even if all three audits were real and relevant, no hacked protocol should try and pass the blame to their auditors.
Good security has to come from the team, not outsourced to an audit company.
Every step has to be perfect.
Hiring, spec design, code reviews, testing, fuzzing, formal verification, bug bounty program, incident handling, the list goes on…
But perhaps it’s too late for DAO Maker, who will just have to make dao and mend.
REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.
donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C
REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.
you might also like...
$16 million taken from Indexed Finance. That’s one more protocol added to the rekt register, and $16 million more on our leaderboard. Is anonymity the only way to stay safe?
It’s worse than we thought. Last week ~$80M in excess COMP was wrongly distributed. Now another ~$68.8M has been sent to the vulnerable vault, and even more COMP is being given away.
Top ten thievery. $34 million taken from Vee Finance earns them the number 7 spot on our leaderboard, yet nobody seems surprised. What’s normal for us is not normal elsewhere.