$2 300 000 USD

OCTOBER 2022

GLOBAL

FRIES FUND DAO

DESCRIPTION OF EVENTS

"we're buying fast food places - a decentralized social experiment where a crypto community builds and governs a fast food franchise empire"

 

"what's friesDAO doing? form a treasury gather USDC contributions (on Ethereum) from community donors and distribute $FRIES governance tokens. purchase franchises - negotiate with franchise owners and brands to buy well-known fast food stores using the friesDAO community treasury expand the empire create a reproducible framework for community governance to influence store improvements or expansions shape the utility participate in serious yet memeworthy discussions like prioritizing jobs for ourselves and getting NFT coupons for free food"

 

"FriesDAO raise closes with $5.4M! $FRIES claiming is expected to be this Tue/Wed.

 

As a Wyoming DAO LLC, a Notice of Intent to issue tokens is being filed this Monday.

 

An Operating Agreement has also been released, which recognizes all $FRIES holders as co-owners of the DAO."

 

"It has come to our attention that the refund deployer contract was exploited and managed to obtain FRIES tokens which were subsequently refunded for USDC and sold into the Uniswap pool. This is an ongoing investigation; exploiter is invited to contact us for dialogue."

 

"A post-mortem report will be released shortly, followed by a plan afterwards in how to move forward. We are still in the process of negotiation acquisitions so a successful deal is still possible with the right plan. Also, contract exploits are currently patched."

 

"On October 27th, 5:58PM UTC, friesDAO contracts were exploited by an attacker taking control of our own deployer address through a profanity attack vector. The hacker was able to drain the treasury of its USDC through the refund contract, drain the FRIES tokens in the staking contract, subsequently selling it all into the Uniswap pool. All transactions in the main attack with the refund contract were confirmed in the same block, then three hours later, the attacker came back for the staking pool"

 

"This address was generated for KCHUP (0x51D35a4cfea3e5fb387e467d31cc0c87f6038a) to have a vanity address (51D35 = “SIDES”) using Profanity, a local multithreaded GPU vanity address miner that was considered safe at the time of generation. Profanity has options to generate a deployer address such that the first contract it deploys will have the address desired.

 

However, ownership of the contracts had not been transferred to a different address such as the multisig after deployment in case of any changes or bugs needed, specifically due to the high risk of how the refund contract interacts with funds. Thus it was determined that it was safer to leave room for emergency changes and that considering our primary developer Slip was internally doxxed, that any attempt of theft would immediately implicate the developer. In fact the initial deployment of the refund contract had issues and had been redeployed to fix a calculation error"

 

"As time progressed and the contracts appeared to be working properly, the developer unfortunately forgot to transfer ownership of these contracts to the multisig and had assumed they were already transferred when in reality, the deployer address (0x6B20) still had full ownership and control over these contracts. Note that the deployer address’ private key never left the metamask and was never exported out in any external format including to the developer himself.

 

It is possible that the way the attacker got the private key was first by guessing that the deployer address was a vanity address through implication of the vanity “SIDES” contract address for KCHUP.

 

Subsequently, the attacker brute-forced the private key using profanity’s now known vulnerabilities, which dramatically reduces the possibilities of private keys due to flaws in generation and is susceptible to even consumer grade computing power."

 

"This is still an ongoing investigation and we invite members and the public to help investigate the on chain analysis as well. Because we are a US entity we have the obligation to file a report with the FBI’s IC3/cyber crimes unit for further assistance. Of course, we do also invite the hacker, if reading this, to anonymously return the funds to the multisig to mitigate our law enforcement efforts. We are also open to dialogue should you wish to reply to the friesDAO twitter account (however any funds should be returned directly to the multisig, anywhere else may be a scam)."

 

"It’s been a little under 2 months since the hack on FriesDAO took place, and things look grim for the future of the project. With there being around $60k left in the treasury, we think there should be a coordinated effort to re-raise funds for the treasury, and continue the original mission of opening a store - especially after we were so close before.

 

One of the original plans of the project was to launch an NFT collection that would have associated utility to any stores that were opened by FriesDAO. This started to be rolled out at the start, but the artwork and direction wasn’t well received and has since been placed on hold.

 

A group of community members (Sasha, Staggo, Williams, Marsyas – with oversight and under the advisement of SWO) have stepped forward to re-launch this initiative. With this initiative, Marsyas will work with Slip to help transitioning files and resources as he moves into a more involved role with FriesDAO.

 

We are proposing to use $25,000 USDC from the remainder of the treasury to roll out a brand new NFT collection."

Fries Fund proposed to create a social experiment where they would purchase and run multiple fast food franchises governed by a DAO. Unfortunately, when setting up their smart contract, they took advantage of a service called Profanity to generate vanity wallet addresses. It was believed that the smart contract had subsequently been transfered to a multi-signature wallet, however this was not actually the case. An attacker was able to exploit the Profanity vulnerabilities to generate the same wallet themselves. Once they gained access to the wallet, they drained all connected smart contracts. The project lost millions of dollars. Some in the community ran a proposal to attempt to earn more funds, however this was ultimately not successful. The website of the project is presently offline and there don't appear to be any plans to relaunch it.

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.