On 3rd of September 2021, around 10:00 PM UTC, DAO Maker, a decentralized finance platform on the Ethereum blockchain that enables startups to raise funds, was hacked for almost $4 million (although the true realized cost to DAO Maker is far greater).
A collection of altcoins were stolen; DeRace Token (DERC), Capsule Coin (CAPS) Showcase (SHO) and Coinspaid (CPD).
Evidently, the hacker was preparing for the recent crypto market rout as the stolen tokens were swapped to the stablecoin Dai using DEX aggregators 1inch and Metamask. The attacker is still holding the Dai on the same Etheruem blockchain address the stolen tokens were initially sent to.
The funds needed to execute the exploit were sent to the address from Tornado.cash mixer, so the origin of funds after mixing is as yet unknown.
Smart contracts belonging to DAO Maker that were affected;
0x6E70C88bE1d5C2a4c0c8205764d01ABE6a3d2E22, 0xd6c8dd834abeeefa7a663c1265ce840ca457b1ec, 0xa43b89d5e7951d410585360f6808133e8b919289, 0xdd571023d95ff6ce5716bf112ccb752e86212167, 0x2fd602ed1f8cb6deaba9bedd560ffe772eb85940 and 0x933fb39d2b0f110e6e83f62c4fbcaebfd3142a13.
No other platforms were involved that were the root cause of the exploit. As the attack wasn’t executed using flash loans, using other DeFis was not necessary.
The aftermath of the hack caused the price of the DAO Maker token to drop from $2.51 to $2.20 in just an hour. But the tokens that were actually stolen suffered flash crashes, although the crashes in these assets were alleviated by DAO Maker “replenishing” the lost tokens.
For example, the transaction the hacker conducted in DeRace;
Caused the altcoin to drop precipitously;
Thus, DAO Maker in actual fact suffered a far worse cost than the $4 million in stolen tokens, as the platform had to replenish the lost tokens at much lower values.
Most DeFi platforms that seek to be reputable have their code audited, but this hack raises questions as to the depth and timing of these audits. As DAO Maker points out, the platform’s code was audited by three companies; Symbolic Software, Certik and Hacken. But the blame cannot be placed entirely on their shoulders as a little more investigation demonstrates.
The oldest of the exploited contracts was created on 28 April this year. However, the latest audit was made on 10th of June (Certik) with the other audits conducted on 8th of March (Hacken), and 7th of January (Symbolic Software). Meaning that most of the smart contracts exploited were thus unaudited.
Jakub Klonowski, a foremost analyst at Coinfirm working on analyzing crypto hacks notes that “there need to be industry standards that come down from regulators not just for AML and CFT in DeFi but equally important are regulations for the regularity and quality of code audits. As the world embraces DAOs and blockchain and the technology’s disciplines rule more organizations, more critical data and assets are will be kept by code alone.”
Only 1 attacker was involved and Coinfirm has flagged the hacker’s address in our database. Download the AML Enhanced Risk Report for the address 0x2708CACE7b42302aF26F1AB896111d87FAEFf92f that received the stolen funds.
The attack was caused by DAOMaker’s init() function which was left vulnerable, allowing the attacker to reinitialize 4 token contracts with malicious data. Then, the emergencyExit() function was used to withdraw the funds from each.
This is the second hack DAO Maker has suffered after its first exploit just last month that saw $7 million robbed from more than 5,000 addresses.
A DAO is a new type of entity that is not ruled by a central party but by open-source code making automated decisions based on voting rights of the individuals working for the entity. This type of organization will become more synonymous with the cryptosphere in the future in the views of the general public, akin to how NFTs are viewed today.