$4 000 000 USD





"Venture Capital Re-Created for the Masses - DAO Maker creates growth technologies and funding frameworks for startups, while simultaneously reducing risks for investors." "DAO Maker is a comprehensive suite of products shaped to cater to the growing needs of the crypto community and retail investors. The platform aims to be the go-to platform for retail venture investing and to improve the quality of millions of lives."


"We are pioneering organized decentralized ecosystems that efficiently leverage human capital with suitable value and benefits for blockchain & crypto projects and their community. The DAO Maker builds an ecosystem that enables any project’s community to effectively leverage their mutual resources for the betterment of their token. Each community members project-enhancing actions are rewarded based on the value-add assessed by the community of token holders. DAO Maker’s flagship is Social Mining, a system that offers the most advanced stem into a DAO. Social mining allows a project’s community to become a thriving self-managed organization of active investors. Whenever a token holder makes actions that advance the success of the project, the community votes on the value he/she deserves for that action. Such a system combats the socioeconomic Free-Loader Problem."


"DAO Maker Token is the governance token of the DAO Maker Ecosystem built on Ethereum, allowing holders to govern the ecosystem. DAO Maker held a series of Dynamic Coin Offerings since late 2020, raising over 8 million USD. The DAO Maker Token aims to create a decentralized ecosystem, enabling a go-to platform for retail venture investing in equity and tokens." "Lock your DAO tokens or DAO- USDC Uniswap V2 liquidity pool tokens to earn rewards from Reward Pools, get ecosystem incentives, qualify for Sales allocations and participate in Governance."


"DeRace Token (DERC), Coinspaid (CPD), Capsule Coin (CAPS), Showcase Token (SHO) all use Dao Maker’s vesting system." "The DAO Maker source code is not public." "Our claim portal is audited by THREE companies. Not one, but three different auditing companies." "DaoMaker claimed that they had audits from 3 firms but looking at learn.daomaker.com/audits, 2 of the audits seem to be for unrelated contracts while the third one from @certik_io points to a dead link."


"Today, the contracts that had a claim portal with a 0% burn experienced an exploit. The tokens vested for SHO participants were stolen." "The exploit took place in 4 of our claim portals." "[T]he vested public sale tokens of (1) DeRace (2) Showcase (3) Ternoa (4) Coinspaid were affected."


"DAOMaker’s init() function was left vulnerable, allowing the attacker to reinitialise 4 token contracts with malicious data. Then, the emergencyExit() function was used to withdraw the funds from each."


"Hackers took advantage of the vulnerability in the vesting contract to emergencyExit the tokens in the vesting contract." "The init function in the vesting contract (function signature: 0x84304ad7) does not authenticate the caller, and the hacker becomes the owner of the vesting contract by calling the init function." "The Owner can call the emergencyExit function in the vesting contract to make emergency withdrawals."


"After the exploit and swap routine, the attacker then made init() calls on two more contracts."


"Both contracts, however, had already been called by a new address, whose transaction history shows a series of init()-emergencyExit() calls, extracting millions of SHO, as well as ALPHR and LSS."


"The final four transactions in this address show the extracted tokens being returned, then an ownership transfer; maybe some belated whitehat behaviour, or the devs trying to save what was left."


"In the short term as part of triaging the situation, we are ceasing all smart contract operations that involve the custody of customer and client assets." "The tokens and smart contracts of all affected projects are secure."


"In the short term as part of triaging the situation, we are ceasing all smart contract operations that involve the custody of customer and client assets." "We will only offer the token launch, and not any form of staking, portal, or bridge." "This removes the probability of any such event happening ever again. Our priority is both our community and our ecosystem projects. We take this step in their best interest."


"Additionally, we are in the process of acquiring tokens on the market to (1) ensure SHO participants get tokens on future releases and (2) support the projects that were affected today." "A side result of our ongoing buying to replenish the pending SHO releases of affected tokens is that their prices have mostly recovered to the pre-hack level."


"[T]he affected projects remain fundamentally as strong as before! [T]here was no exploit in their token or contracts. [T]he tokens released were not minted, but instead public sale tokens (that would have entered the market at a later date regardless)."


"The prices of all tokens involved have recovered somewhat since the exploit, although not as much as claimed by DAO Maker."

DAO Maker ran a service to enable other projects to launch coins and gain funding. All the token funds were stored in smart contract hot wallets, and the team decided that they didn't need to check who was calling the init function. A hacker decided they would like to initialize some of these wallets for themselves, and also would like to remove the funds that gave them access to. It looks like Dao Maker's strategy was then to repurchase the tokens on the open market.


Hot wallets should either not store customer funds, or be insured fully through smart contract insurance or our proposed industry insurance fund.


Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.