Build Finance Malicious Governance Takeover

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Build Finance

Build finance operated a decentralized autonomous venture builder, launching new projects using funds in a treasury overseen by a decentralized governance model. Unfortunately, a malicious actor took over the protocol and drained the funds once they gained enough BUILD tokens, managed to disable bots that notify users of new proposals, and used a successful proposal to mint themselves more tokens. All tokens were then exchanged through any available liquidity pairs. The project was unable to regain control over the smart contract. The website is presently offline as the domain expired.

This is a global/international case not involving a specific country. [1][2][3][4][5][6][7][8][9][10]

About Build Finance

[11]

"There are so many ideas in DeFi that desperately need to get built, yet nobody is working on them. Why isn’t there a DAO which actively incentivizes the development of new projects by rewarding builders with tokens? This is our attempt to start it. BUILD Finance is a decentralized venture builder."

"According to Google, venture builders are organizations dedicated to systematically producing new companies, which they help grow and succeed. There are five core activities in which venture builders engage: identifying business ideas, building teams, finding capital, helping govern or manage the ventures and providing shared services."

"BUILD Finance is a decentralised autonomous venture builder, owned and controlled by the community. BUILD Finance produces, funds, and manages community-owned DeFi products." "BUILD produces, funds, and manages decentralised solutions on Ethereum."

"BUILD operates a shared capabilities model, where the DAO provides the backbone support and ensures inter-entity synergies so that the product entities can focus on their own outcomes. Each product accrues value for the DAO and $BUILD holders."

"BUILD takes care of all organisational, hiring, back/mid office functions, and the product companies focus on what they can do best, until such time where any individual product outgrows the DAO and becomes fully self-sustainable. At that point, the chick is strong enough to leave the nest and live its own life. The survival of the fittest. No product entity is held within DAO by force."

"$BUILD token is used as a governance token for the DAO. It also represents a pro-rata claim of ownership on all DAO’s assets and liabilities (e.g. BUILD Treasury and $bCRED debt token)."

"Only provide liquidity on $BUILD if you believe in the project. As of today, the token has literally zero monetary value. The only way $BUILD can gain value is if we, as a community, start building projects around it."

"The token was distributed via liquidity mining with no pre-sale and zero founder/private allocation. The farming event lasted for 7 days around mid-Sep 2020. At the time, BUILD didn't have any products and held no value. Arguably, $BUILD has still zero value as it is not a legal instrument and does not guarantee or promise any returns to anyone."

The Reality

TBD

What Happened

The Build Finance project suffered a hostile governance takeover[10]. The Build Finance DAO was the target of a hostile governance takeover in which a malicious actor has put forward and succeeded with a proposal to take control of the Build Finance token contract.

Key Event Timeline - Build Finance Malicious Governance Takeover
Date Event Description
February 12th, 2022 1:09:00 PM MST Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.
February 14th, 2022 11:46:03 AM MST The Block Article The Block reports that Build Finance DAO has experienced a "hostile governance takeover," resulting in a loss of approximately $470,000. An unknown individual used a large supply of tokens to pass a proposal, granting them full control over the DAO's treasury and token minting abilities. The attacker now has control over the governance contract, minting keys, and treasury, while the DAO has lost control over its key infrastructure. The attacker used their control to create new tokens, drain liquidity pools on decentralized exchanges, and make away with around $470,000 worth of funds, which they sent to a mixing service on the Ethereum blockchain. Build Finance's core team is now seeking ways to move forward, but it is challenging without a liquid treasury. Attempts to engage in dialogue with the perpetrator for restitution have been unsuccessful[10].

Technical Details

An unknown individual used a large supply of tokens to pass a proposal, granting them full control over the DAO's treasury and token minting abilities[10]. The attacker gained control over the governance contract, minting keys, and treasury, while the DAO has lost control over its key infrastructure.


Build Finance was a decentralized venture builder that incentivized new projects by rewarding them with tokens. Despite some dissatisfaction among community members due to a lack of updates, the project still had a significant amount of funds in its treasury. The attacker used their control to create new tokens, drain liquidity pools on decentralized exchanges, and make away with around $470,000 worth of funds, which they sent to a mixing service on the Ethereum blockchain. Build Finance's core team is now seeking ways to move forward, but it is challenging without a liquid treasury. Attempts to engage in dialogue with the perpetrator for restitution have been unsuccessful.


"The attacker succeeded in the takeover by having a large enough vote in favour of the proposal and there were not enough countervotes to prevent the takeover from happening." "The malicious actors successfully controlled the Build token contract by getting enough votes, minting 1,107,600 BUILD tokens in three transactions." "The proposal passed because no alert was issued on Discord that a new proposal had been made, The Block reported." "Thanks to their move to disable bots that would have alerted the community to the new proposal, it eventually passed."

"Suho.eth transferred tokens to 0x…2c28 and attempted a malicious takeover which succeeded at block height 14175830." "0x…2c28 minted 1,107,600 BUILD in three transactions (14182042, 48, and 54) and drained the majority of the funds in the liquidity pools on Balancer and Uniswap." "0x…2c28 then took control of the balancer pools via the governance contract and drained the remaining funds including 130k METRIC tokens."


"Both METRIC liquidity pools on Uniswap and Fantom were then subject to [intense] sell pressure as the attacker sold all 130k METRIC tokens into the available liquidity." "0x…2c28 then minted 1,000,000,000 BUILD at block height 14188763." "The attacker proceeded to sell BUILD tokens into whatever available liquidity was present; this situation is ongoing although activity appears to have abated as per 14:00h on 13th February 2022." "The wallet where the drained funds went appears to have gone silent two days ago after sending 163 ETH to Tornado Cash, a service that lets users obscure Ethereum transactions."

Total Amount Lost

The Block estimated losses at $470,000 USD[10].

The total amount lost has been estimated at $490,000 USD.

Immediate Reactions

"The Build Finance DAO has been the target of a hostile governance takeover in which a malicious actor has put forward and succeeded with a proposal to take control of the Build token contract." "Unfortunately @finance_build has been subject to a hostile governance takeover. A malicious actor has minted 1.1M $BUILD tokens and has drained the project liquidity pools."

"The venture capital DAO organization Build Finance tweeted that the project suffered a malicious governance takeover."


"With most of the funds in Balancer and Uniswap liquidity pools exhausted, attackers continue to take control of the balancer pools via governance contracts and drain the remaining funds including 130,000 METRIC tokens, METRIC liquidity on Uniswap and Fantom Both pools subsequently came under intense selling pressure."

"Both METRIC liquidity pools on Uniswap and Fantom were then subject to intenses sell pressure as the attacker sold all 130k METRIC tokens into the available liquidity." "0x…2c28 then minted 1,000,000,000 BUILD at block height 14188763." "The attacker proceeded to sell BUILD tokens into whatever available liquidity was present; this situation is ongoing although activity appears to have abated as per 14:00h on 13th February 2022." "The wallet where the drained funds went appears to have gone silent two days ago after sending 163 ETH to Tornado Cash, a service that lets users obscure Ethereum transactions."

"As a byproduct of the DAO structure the attacker was able to gain access to 130,000 METRIC tokens that were contained within the BUILD DAO treasury, all of these tokens were sold into the market using whatever liquidity was available." "This extreme supply shock has caused a large fall in the spot price of the METRIC token. However, the attacker does not have control of any parts of the METRIC token or the http://metric.exchange infrastructure."

"The team does not believe the attacker has the ability to cause any further disruption to METRIC, and it should be safe to trade METRIC tokens again with the following caveat: the supply shock has still caused a large change in the distribution of METRIC token and it is" "still possible that a percentage of these tokens may be under control of heretofore unidentified bad actors. However we do not believe there is any outstanding systemic risk to METRIC token or http://metric.exchange."

"The attacker was able to access funds in this way due to the structure of the Build DAO governance model. It is believed that the attacker took extra steps to stop evidence of their activities by way of disabling the gitbooks and the proposal bot."

"It is with deep regret that we have to inform the community of this total and irrecoverable loss of BUILD DAO treasury assets through the deeds of one malicious actor." "Team members have made direct contact with the attacker but there seems to be no appetite for a dialogue, much less any reparations."

"As it stands, attackers have full control over governance contracts, minting keys, and treasuries, and the DAO no longer controls any part of critical infrastructure." "As things stand, the attacker has full control of the governance contract, minting keys and treasury. The DAO no longer has control over any part of the key infrastructure. Do not buy BUILD tokens on any platform."

Ultimate Outcome

"We would welcome a discussion in the discord with community members about the way to move forward from this but it is difficult to see a future for BUILD with only its brand recognition and IP assets, and no liquid treasury." "However we do believe that due to the lack of severe impact on the core infrastructure of http://metric.exchange, the Metric protocol and METRIC token can continue to operate and develop independent of the BUILD DAO."

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

Ongoing Developments

TBD

Individual Prevention Policies

The Build Finance smart contract was not adequately protected, due to the reliance on a complex decentralized governance model for protection of the treasury. The system depended entirely on the active participation of the community, which failed. Better security of the decentralized governance algorithms could be accomplished through participation thresholds or longer delays in implementation. It is likely that additional smart contract review would have improved the security and resiliency of the governance protocol and prevented the situation.

Avoid the use of smart contracts unless necessary. Minimize the level of exposure by removing or withdrawing assets whenever possible. Aim to choose smart contracts which have obtained third party security audits, preferably having been audited by at least three separate reputable firms. Pay attention to the audit reports, which smart contracts are covered, and whether the smart contract has been upgraded or modified since the report. Ensure that any administrative functions with the ability to remove funds from the smart contract are under the authority of a multi-signature wallet which is controlled by at least three separate and reputable entities.

Users can limit potential losses by storing most funds offline in a wallet not connected to any smart contracts.

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

The Build Finance smart contract was not adequately protected, due to the reliance on a complex decentralized governance model for protection of the treasury. The system depended entirely on the active participation of the community, which failed. Better security of the decentralized governance algorithms could be accomplished through participation thresholds or longer delays in implementation. It is likely that additional smart contract review would have improved the security and resiliency of the governance protocol and prevented the situation.

All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.

All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

The Build Finance smart contract was not adequately protected, due to the reliance on a complex decentralized governance model for protection of the treasury. The system depended entirely on the active participation of the community, which failed. Better security of the decentralized governance algorithms could be accomplished through participation thresholds or longer delays in implementation. It is likely that additional smart contract review would have improved the security and resiliency of the governance protocol and prevented the situation.

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. SlowMist Hacked - SlowMist Zone (Jun 26, 2021)
  2. https://web.archive.org/web/20210217011742/https://docs.build.finance/build-knowledge-base/ (Mar 11, 2022)
  3. Announcing Build Finance (Mar 11, 2022)
  4. Morioh (Mar 11, 2022)
  5. BUILD Finance price, BUILD chart, and market cap | CoinGecko (Mar 11, 2022)
  6. @finance_build Twitter (Mar 11, 2022)
  7. https://coinmarketcap.com/currencies/ethereum/historical-data/ (Dec 21, 2021)
  8. @finance_build Twitter (Mar 11, 2022)
  9. Democratic DAO Suffers Coup, New Leader Steals Everything (Mar 11, 2022)
  10. 10.0 10.1 10.2 10.3 10.4 Build Finance DAO suffers 'hostile governance takeover,' loses $470,000 - The Block (Mar 11, 2022)
  11. BUILD Finance Homepage Archive October 27th, 2021 6:55:27 PM MDT (Mar 11, 2022)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Build_Finance_Malicious_Governance_Takeover&oldid=4793"