DAO Maker Vesting

DAO Maker Vesting Hack - August 2021

The Initial Exploit (August 12, 2021)

On August 12 in the early hours (approximately 1 AM UTC), DAO Maker faced malicious use of one of its wallets with access to admin privileges. The admin's private key was used to grant the attacker's contract permission to withdraw funds from the exploited contract.

The cybercriminal first tested the exploit by stealing 10,000 USDC, then made 15 more transactions, siphoning approximately $7 million before the security team traced, contained and stopped the drain of funds. A total of 5,251 users were affected, losing $1,250 USD on average per user.

The Vesting Contract Exploit (September 4, 2021)

A second, related exploit occurred later. On September 4, 2021, DAO Maker's vesting contract was exploited, resulting in a significant loss of funds. Hackers took advantage of a vulnerability in the vesting contract where the init function was unauthenticated, allowing the attacker to initialize key parameters and change ownership, then steal tokens through the emergencyExit function.

Recovery Efforts

The team airdropped 500 USDC to all affected users without delay, and most affected users were to be refunded 30-50% of their losses on August 19. However, investors later reported that the project's promise to redeem compensation tokens for their stated value was never honored.

Sources

• https://www.quadrigainitiative.com/casestudy/daomakerexploit.php

• https://incrypted.com/en/7-million-dao-maker-hack-exclusive-interview/

• https://slowmist.medium.com/intelligence-of-slowmist-zone-dao-makers-vesting-system-was-hacked-5825e4828969

• https://immunebytes.com/blog/dao-maker-exploit-sep-4-2021-detailed-analysis/

• https://www.coindesk.com/markets/2021/08/12/crypto-fundraising-dao-loses-over-7m-in-latest-crypto-exploit

• https://cointelegraph.com/news/dao-maker-victims-still-await-reimbursement-3-years-after-hack