DAO Maker Insufficient Authentication

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

DAO Maker

DAO Maker ran a service to enable other projects to launch coins and gain funding. All the token funds were stored in smart contract hot wallets, and the team decided that they didn't need to check who was calling the init function. A hacker decided they would like to initialize some of these wallets for themselves, and also would like to remove the funds that gave them access to. It looks like Dao Maker's strategy was then to repurchase the tokens on the open market.

This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16]

About DAO Maker

"Venture Capital Re-Created for the Masses - DAO Maker creates growth technologies and funding frameworks for startups, while simultaneously reducing risks for investors." "DAO Maker is a comprehensive suite of products shaped to cater to the growing needs of the crypto community and retail investors. The platform aims to be the go-to platform for retail venture investing and to improve the quality of millions of lives."

"We are pioneering organized decentralized ecosystems that efficiently leverage human capital with suitable value and benefits for blockchain & crypto projects and their community. The DAO Maker builds an ecosystem that enables any project’s community to effectively leverage their mutual resources for the betterment of their token. Each community members project-enhancing actions are rewarded based on the value-add assessed by the community of token holders. DAO Maker’s flagship is Social Mining, a system that offers the most advanced stem into a DAO. Social mining allows a project’s community to become a thriving self-managed organization of active investors. Whenever a token holder makes actions that advance the success of the project, the community votes on the value he/she deserves for that action. Such a system combats the socioeconomic Free-Loader Problem."

"DAO Maker Token is the governance token of the DAO Maker Ecosystem built on Ethereum, allowing holders to govern the ecosystem. DAO Maker held a series of Dynamic Coin Offerings since late 2020, raising over 8 million USD. The DAO Maker Token aims to create a decentralized ecosystem, enabling a go-to platform for retail venture investing in equity and tokens." "Lock your DAO tokens or DAO- USDC Uniswap V2 liquidity pool tokens to earn rewards from Reward Pools, get ecosystem incentives, qualify for Sales allocations and participate in Governance."

"DeRace Token (DERC), Coinspaid (CPD), Capsule Coin (CAPS), Showcase Token (SHO) all use Dao Maker’s vesting system." "The DAO Maker source code is not public." "Our claim portal is audited by THREE companies. Not one, but three different auditing companies." "DaoMaker claimed that they had audits from 3 firms but looking at learn.daomaker.com/audits, 2 of the audits seem to be for unrelated contracts while the third one from @certik_io points to a dead link."

"Today, the contracts that had a claim portal with a 0% burn experienced an exploit. The tokens vested for SHO participants were stolen." "The exploit took place in 4 of our claim portals." "[T]he vested public sale tokens of (1) DeRace (2) Showcase (3) Ternoa (4) Coinspaid were affected."

"DAOMaker’s init() function was left vulnerable, allowing the attacker to reinitialise 4 token contracts with malicious data. Then, the emergencyExit() function was used to withdraw the funds from each."

"Hackers took advantage of the vulnerability in the vesting contract to emergencyExit the tokens in the vesting contract." "The init function in the vesting contract (function signature: 0x84304ad7) does not authenticate the caller, and the hacker becomes the owner of the vesting contract by calling the init function." "The Owner can call the emergencyExit function in the vesting contract to make emergency withdrawals."

"After the exploit and swap routine, the attacker then made init() calls on two more contracts."

"Both contracts, however, had already been called by a new address, whose transaction history shows a series of init()-emergencyExit() calls, extracting millions of SHO, as well as ALPHR and LSS."

"The final four transactions in this address show the extracted tokens being returned, then an ownership transfer; maybe some belated whitehat behaviour, or the devs trying to save what was left."

"In the short term as part of triaging the situation, we are ceasing all smart contract operations that involve the custody of customer and client assets." "The tokens and smart contracts of all affected projects are secure."

"In the short term as part of triaging the situation, we are ceasing all smart contract operations that involve the custody of customer and client assets." "We will only offer the token launch, and not any form of staking, portal, or bridge." "This removes the probability of any such event happening ever again. Our priority is both our community and our ecosystem projects. We take this step in their best interest."

"Additionally, we are in the process of acquiring tokens on the market to (1) ensure SHO participants get tokens on future releases and (2) support the projects that were affected today." "A side result of our ongoing buying to replenish the pending SHO releases of affected tokens is that their prices have mostly recovered to the pre-hack level."

"[T]he affected projects remain fundamentally as strong as before! [T]here was no exploit in their token or contracts. [T]he tokens released were not minted, but instead public sale tokens (that would have entered the market at a later date regardless)."

"The prices of all tokens involved have recovered somewhat since the exploit, although not as much as claimed by DAO Maker."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - DAO Maker Insufficient Authentication
Date Event Description
September 3rd, 2021 Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost has been estimated at $4,000,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

General Prevention Policies

Hot wallets should either not store customer funds, or be insured fully through smart contract insurance or our proposed industry insurance fund.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11, 2021)
  2. No Title (Aug 21, 2021)
  3. SlowMist Hacked - SlowMist Zone (Nov 6, 2021)
  4. No Title (Aug 21, 2021)
  5. DAO Maker price, DAO chart, market cap, and info | CoinGecko (Aug 21, 2021)
  6. DaoMaker - LinkedIn (Aug 21, 2021)
  7. Ten Reasons to Buy DAO (Aug 21, 2021)
  8. @thedaomaker Twitter (Nov 7, 2021)
  9. Intelligence Of Slowmist Zone Dao Makers Vesting System Was Hacked (Nov 7, 2021)
  10. Rekt - DAO Maker - REKT (Nov 7, 2021)
  11. Ethereum Transaction Hash (Txhash) Details | Etherscan (Nov 7, 2021)
  12. Ethereum Transaction Hash (Txhash) Details | Etherscan (Nov 7, 2021)
  13. Ethereum Transaction Hash (Txhash) Details | Etherscan (Nov 7, 2021)
  14. Ethereum Transaction Hash (Txhash) Details | Etherscan (Nov 7, 2021)
  15. CertiK Security Leaderboard - Dao Maker (Nov 7, 2021)
  16. Crypto Fundraising DAO Loses Over $7M in Latest Crypto Exploit – Defi (Feb 12, 2022)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=DAO_Maker_Insufficient_Authentication&oldid=4208"