DAOSquare Treasury RICE Exploit Theft New Token Recovery

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 14:40, 27 August 2025 by Azoundria (talk | contribs) (Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/daosquaretreasuryriceexploittheftnewtokenrecovery.php}} {{Unattributed Sources}} thumb|DAOSquare Logo/HomepageDAOSquare, a decentralized platform for launching and investing in Venture DAOs, suffered a security breach due to improper access controls in its smart contracts, allowing an attacker to withdraw RICE tokens without restriction. The exploit led to losses...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

DAOSquare Logo/Homepage

DAOSquare, a decentralized platform for launching and investing in Venture DAOs, suffered a security breach due to improper access controls in its smart contracts, allowing an attacker to withdraw RICE tokens without restriction. The exploit led to losses of approximately \$88.1k, as reported by TenArmor. In response, DAOSquare launched a new token—the DAOSquare Governomy Token (RICE)—on Ethereum Mainnet and Base, redistributing tokens to affected holders based on a pre-attack snapshot. While most distributions have been completed, recovery efforts are still ongoing, with some users on Gate CEX and Loopring awaiting resolution.[1][2][3][4][5][6][7][8][9][10][11][12][13]

About DAOSquare

DAOSquare Incubator offers a decentralized platform for creating and investing in Venture DAOs, aiming to make venture capital more accessible and trustless. The platform provides users with easy-to-use tools that allow them to launch their own DAOs or invest in others as effortlessly as online shopping. Its core mission is to democratize investment opportunities and reduce global financial inequality by leveraging blockchain technology.

The platform is designed around several crypto-native features, including automated fund operations, escrow services, vesting schedules, and NFT receipts. These features ensure investments are executed securely and transparently using smart contracts. Investors can choose from three operational modes—Vintage, Collective, and Flex—each catering to different investment styles, levels of decision-making involvement, and fund structures, such as blind pools or deal-by-deal setups.

Vintage DAOs function similarly to traditional VC funds with designated governors managing investments, while Collective DAOs take a collaborative approach where all members decide together. Flex DAOs allow members to individually choose which deals to participate in. This versatility, combined with DAOSquare’s robust infrastructure, positions the platform as a comprehensive ecosystem for decentralized venture capital innovation.

About DAOSquare Treasury Address

The victim address was one of DAOSquare treasuries located at 0xcfe0de4a50c80b434092f87e106dfa40b71a5563. This address was created on March 13th.

The Reality

Unfortunately, the smart contract appears to lack proper access control, which allowed some RICE tokens to be taken.

What Happened

DAOSquare suffered a $88.1k exploit due to smart contract vulnerabilities.

Key Event Timeline - DAOSquare Treasury RICE Exploit Theft New Token Recovery
Date Event Description
March 12th, 2025 11:33:51 PM MDT DaoSquare Treasury Created The DaoSquare treasury Base wallet is first created and loaded with funds.
May 24th, 2025 9:42:19 AM MDT Rice Token Attack Transaction The attack transaction against the Rice token is accepted by the Base blockchain.
May 24th, 2025 8:13:00 PM MDT TenArmor Posts About Exploit TenArmor reported a suspicious attack involving the RICE token and an unverified contract at address 0xcfe0 on the Base network, resulting in an estimated loss of $88.1K. The vulnerability stems from the `registerProtocol()` and `setMasterContractApproval()` functions in the victim contract, which lacked proper access control, allowing unauthorized users to withdraw RICE tokens from the contract.
June 4th, 2025 8:27:00 AM MDT DaoSquare Post About Attack DaoSquare posts an extensive post about the attack and their plans forward.
June 4th, 2025 8:37:00 AM MDT Attacker Repeat Offender The attacker is described as a seasoned repeat offender by DaoSquare founder Typto, and it is announced that the community will relaunch stronger.
June 23rd, 2025 7:03:00 AM MDT New Rice Token Deployment DaoSquare posts about their new token deployment, which is a key step in the relaunch plan for the project.
June 26th, 2025 7:00:00 AM MDT Restarting RICE Community Distribution The DAOSquare community announces that RICE distributions have now restarted.

Technical Details

The exploit occurred because the victim contract’s `registerProtocol()` and `setMasterContractApproval()` functions lacked proper access control, allowing anyone to call these functions and authorize malicious contracts or addresses to withdraw RICE tokens without restriction.

Total Amount Lost

Losses were reported as $88.1k by TenArmor.

The total amount lost has been estimated at $88,000 USD.

Immediate Reactions

It is unclear who is behind this token. The incident was reported on by TenArmor.

Ultimate Outcome

DAOSquare launched a new token, the DAOSquare Governomy Token (RICE), on both the Ethereum Mainnet and Base networks, following a previous attack on the original RICE token. Tokens have been redistributed to holders based on a snapshot taken before the attack.


Total Amount Recovered

There is no indication that any funds have been recovered.

There do not appear to have been any funds recovered in this case.

Ongoing Developments

Investigation and community recovery appear to be ongoing. The Gate CEX Holders and Loopring Holders still have solutions pending.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. TenArmor - "Our system has detected a suspicious attack involving #RICE token and an unverified contract 0xcfe0 on #BASE, resulting in an approximately loss of $88.1K." - Twitter/X (Accessed Jul 31, 2025)
  2. Rice Attack Transaction - BSCScan (Accessed Jul 31, 2025)
  3. DaoSquare - "On May 25, 2025, one of DAOSquare's treasuries was attacked, resulting in 22,189,176.505973791717313474 RICE tokens being maliciously dumped into the market." - Twitter/X (Accessed Jul 31, 2025)
  4. Typto DaoSquare - "The attacker [0x2a49c6FD18BD111d51C4ffFA6559bE1d950B8Eff] is a seasoned repeat offender. While $80,000 in illicit profits may mean little to you, you have brought devastating harm to DAOSquare. Yet we will not fall—we will emerge stronger." - Twitter/X (Accessed Jul 31, 2025)
  5. DaoSquare - "We have deployed DAOSquare's new token—DAOSquare Governomy Token (RICE)—on Ethereum Mainnet and Base. We have also distributed these tokens to all RICE holders according to the snapshot before the RICE attack." - Twitter/X (Accessed Jul 31, 2025)
  6. DaoSquare - "Following the attack on $RICE, we have been dedicated to reconstruction efforts. We are now pleased to announce the restart of the RICE community distribution." - Twitter/X (Accessed Jul 31, 2025)
  7. The Victim Smart Contract - Basescan (Accessed Jul 31, 2025)
  8. The creation of the victim smart contract. (Accessed Jul 31, 2025)
  9. DAOSquare Homepage (Accessed Jul 31, 2025)
  10. DaoSquare - "Big News from DAOSquare Incubator! We’ve just launched 3 innovative DAOs, each with a unique approach to onchain ventures." - Twitter/X (Accessed Jul 31, 2025)
  11. DaoSquare Twitter/X Profile (Accessed Jul 31, 2025)
  12. Typto (DaoSquare Founder) Twitter/X Profile (Accessed Jul 31, 2025)
  13. Protocol Contract Graph - DaoSquare (Accessed Jul 31, 2025)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=DAOSquare_Treasury_RICE_Exploit_Theft_New_Token_Recovery&oldid=6903"