SlowMist, which focuses on blockchain ecosystem security and has reportedly served Huobi, OKEx, Binance, imToken (nearly “a thousand commercial customers in total”), reveals that DAO Maker‘s vesting system was recently hacked.
SlowMist confirmed in an incident report that DeRace Token (DERC), Coinspaid (CPD), Capsule Coin (CAPS), Showcase Token (SHO) “all use Dao Maker’s vesting system, and the DAO Maker vesting contract is attacked when the holder is issued (DERC) in DAO Maker , i.e. there is a vulnerability in the vesting system of DERC vesting contract participants: Init Initialization was unauthenticated, the attacker initialized the key parameters of init, and changed the owner at the same time, and then stole the token through emergencyExit and swap it into DAI.”
As noted by SlowMist, the attacker “finally made a profit of nearly $4 million.”
The blockchain security firm also mentioned that the hackers “took advantage of the vulnerability in the vesting contract to emergencyExit the tokens in the vesting contract.”
As mentioned in a report prepared by SlowMist, the following is a short analysis:
- Implementation of vesting contract contract 0xf17ca0e0f24a5fa27944275fa0cedec24fbf8ee2 “decompiled” get the following information:
- The init function in the vesting contract (function signature: 0x84304ad7) “does not authenticate the caller, and the hacker becomes the owner of the vesting contract by calling the init function.”
- The Owner can “call the emergencyExit function in the vesting contract to make emergency withdrawals.”
Related contract address:
Take DERC as an example:
Vesting agency contract:
0x2fd602ed1f8cb6deaba9bedd560ffe772eb85940
0xdd571023d95ff6ce5716bf112ccb752e86212167
Vesting implementation contract:
0xf17ca0e0f24a5fa27944275fa0cedec24fbf8ee2
Hacker address:
0x2708cace7b42302af26f1ab896111d87faeff92f
As noted by SlowMist:
“In the same way it attacked other vesting contracts, transferring the following tokens”:
DeRace Token (DERC): 0x9fa69536d1cda4a04cfb50688294de75b505a9ae
Coinspaid (CPD): 0x9b31bb425d8263fa1b8b9d090b83cf0c31665355
Capsule Coin (CAPS): 0x03be5c903c727ee2c8c4e9bc0acc860cca4715e2
Showcase Token (SHO): 0xcc0014ccb39f6e86b1be0f17859a783b6722722f
DAO Maker, which claims to be “the leader in governance tech, data-supported funding, and institutional onchain products,” noted on September 3, 2021 that first and foremost, “only the vested public sale tokens of (1) DeRace (2) Showcase (3) Ternoa (4) Coinspaid were affected.”
Other crypto tokens were unaffected, the DAO Maker team confirmed. They also mentioned that their claim portal is “audited by three companies.”
As mentioned in an update, dated September 3:
“Today, the contracts that had a claim portal with a 0% burn experienced an exploit. The tokens vested for SHO participants were stolen. The tokens and smart contracts of all affected projects are secure. The exploit took place in 4 of our claim portals.”
The update from DAO Maker further noted:
“Our Next Steps: In the short term as part of triaging the situation, we are ceasing all smart contract operations that involve the custody of customer and client assets. We are going to operate similar to Polkastarter and most other launchpads…. We will only offer the token launch, and not any form of staking, portal, or bridge. This removes the probability of any such event happening ever again. Our priority is both our community and our ecosystem projects. We take this step in their best interest. Only launches.”
They added:
“We are in the process of acquiring tokens on the market to (1) ensure SHO participants get tokens on future releases and (2) support the projects that were affected today. A side result of our ongoing buying to replenish the pending SHO releases of affected tokens is that their prices have mostly recovered to the pre-hack level.”
They concluded:
“Finally and above all:
- the affected projects remain fundamentally as strong as before
- there was no exploit in their token or contracts
- the tokens released were not minted, but instead public sale tokens (that would have entered the market at a later date regardless)”