Dao Maker Exploit

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Dao Maker

DAO Maker offers a comprehensive suite of DeFi products. One of the admin keys was exploited, in order to steal the funds of users stored in the platform.

Ultimately, the team came up with a recovery plan for all affected users, and also restructured the smart contract such that no funds were under their custody, eliminating the centralized incentive.

This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15]

About Dao Maker

"Venture Capital Re-Created for the Masses - DAO Maker creates growth technologies and funding frameworks for startups, while simultaneously reducing risks for investors." "DAO Maker is a comprehensive suite of products shaped to cater to the growing needs of the crypto community and retail investors. The platform aims to be the go-to platform for retail venture investing and to improve the quality of millions of lives."

"We are pioneering organized decentralized ecosystems that efficiently leverage human capital with suitable value and benefits for blockchain & crypto projects and their community. The DAO Maker builds an ecosystem that enables any project’s community to effectively leverage their mutual resources for the betterment of their token. Each community members project-enhancing actions are rewarded based on the value-add assessed by the community of token holders. DAO Maker’s flagship is Social Mining, a system that offers the most advanced stem into a DAO. Social mining allows a project’s community to become a thriving self-managed organization of active investors. Whenever a token holder makes actions that advance the success of the project, the community votes on the value he/she deserves for that action. Such a system combats the socioeconomic Free-Loader Problem."

"DAO Maker Token is the governance token of the DAO Maker Ecosystem built on Ethereum, allowing holders to govern the ecosystem. DAO Maker held a series of Dynamic Coin Offerings since late 2020, raising over 8 million USD. The DAO Maker Token aims to create a decentralized ecosystem, enabling a go-to platform for retail venture investing in equity and tokens." "Lock your DAO tokens or DAO- USDC Uniswap V2 liquidity pool tokens to earn rewards from Reward Pools, get ecosystem incentives, qualify for Sales allocations and participate in Governance."

"The SHO contract has always been a hotspot for potential risk, as it was used for every single SHO. This is the precise reason why DAO Maker put in place certain contingencies, such as capping the maximum individual deposit amount to $10,000 USDC." "The Vault contracts themselves are standard farm contracts and were successfully audited by 4 different firms."

"Regretfully, we must announce that in the early hours of August 12th (approx. 1 AM UTC) DAO Maker faced malicious use of one of our wallets with access to admin privileges." "The admin's private key was used to grant the attacker's contract permission to withdraw funds from the exploited contract." "The cybercriminal, after tentatively testing this exploit and managing to steal 10,000 USDC, then proceeded to quietly make 15 more transactions. In this manner, the hacker was able to siphon approximately $7M, until our security team was able to trace, contain and stop the drain of funds. A total of 5251 users were affected, losing $1250 USD on average per user."

The exploit transaction: "0x054e sends a transaction to grant the admin role to 0x0eba of the wallet (0x41b8). Then 0x0eba grants the “DAO contracts” role to 0x1c93. At last, the 0x1c93 (XXX) invoke the function withdrawFromUser to transfer the money to the XXX contract. Interesting, the victim 0x41b8 is created by 0x054e. In summary, 0x054e creates the victim 0x41b8 wallet. Then 0x054e grants the admin role to 0x0eba, who further grants the “DAO Contracts” role to 0x1c93. At last 0x1c93 withdraws the money from the victim."

The "attack resulted in 7M$ assets lost." "Fortunately, users with up to $900 have remained completely unaffected."

"We decisively moved the unaffected funds to a brand-new secure wallet, while users are still able to withdraw their funds unimpeded, should they choose to do so."

"Cipher Blade, a leading blockchain forensics expert company, has been contracted and is doing everything possible to track down the criminal and return the stolen funds. They have already identified an implicated Binance account and are closely collaborating with Etherscan to learn more about the hackers' whereabouts. Additionally, all exchanges have been already informed of the hackers' wallet."

"[W]e continue the investigation and have also informed EU law enforcement. Further, a forensics team has been on-boarded and we’ve received gracious support from several cyber security professionals in the space. We will continue to pursue the hacker."

"Support of V1 Vaults will be ending after Infinity Pad SHO." "Presently, the SHO contract has been secured in order to prevent situations like this from occurring in the future."

"We want to assure our investors and supporters — the Vaults are safe and the hack has had no detrimental impact on our business. Absolutely no one, not even us, has the ability to upgrade the code or remove any DAO from the Vaults."

"If you are one of the affected users of the recent exploit of the USDC pre-funding contract, we sincerely apologize for the inconvenience to you directly. We have made changes to the security protocol to drastically improve key protection, as well as committed to continued efforts in upgrading our smart contract architecture."

"500 USDC will be airdropped to all affected users’ wallets without delay." "The average user lost between 1,000 to 1,500 USDC. Therefore most affected users will instantly be refunded 50% to 30% of their loss on the 19th of August prior to the next SHO." "Thus, over 35% of the total loss amount will be refunded immediately."

"Given that the net exploited amount was $7M, the amount due (after the $2.5M deposit to users’ escrow) equals $4.5M. This $4.5M will be provided to users in exactly one year’s time in the form of DAO tokens at the future market price. The $4.5M in DAO tokens will be taken from the “customer incentives” tranche, which has 10% of the total DAO supply."

"On September 8, we will airdrop USDR tokens, which represent the future redemption given in 1 year. Each USDR token is equal to 1.1 worth of DAO, 1 year after it is airdropped. On redemption day, September 8, 2022, USDR tokens will be deployable to a smart contract in return for a pegged rate of 1.1 worth of DAO for every USDR. All received USDR will be burned at that point."

"The redemption plan is designed to let the operations proceed smoothly. All affected users are given USDC upfront to participate in all immediate SHOs. They also have the option to withdraw the USDC." "Regardless of the outcome of this pursuit, we believe the redemption plan outlined above will allow all affected users to proceed as if nothing happened."

"Over the next five days, DAO Maker will devise a set of solutions to alleviate the incurred damages and work in full force to bring the hacker to justice through the massive forensics investigation undertaken. All affected users will be informed via email and on their DAO log-in portal."

"We’ve been working all weekend to minimize the effect of the four hacked claim bridges (Ternoa, DeRace, Showcase, and CoinsPaid). During the night we have worked with projects Market Makers to manage liquidity on and off-chain to mitigate the total damage caused to the community of the projects. The price of most assets recovered due to this as well with various buy-backs and operations."

"Further, we secured 7M USD worth of tokens of other clients that have been returned to cold storage. We have managed to ensure that all our clients will be offered discounted service offerings from Copper, one of the most reputable custody providers in the industry."

"We shared our 5 step plan to eliminate all smart-contract custodial risks from DAO Maker. Since then we have closed all vesting contracts and their portals. Participants of vested SHOs will from now on receive their tokens directly via their respective clients." "We are going to introduce a Non-Custodial staking system that is currently being tested." "Pre-funding contracts are not going to be used anymore due to our commitment to indefinitely improve the security of users’ funds."

"Within 24 hours after the hack, our team collaborated with 95% of all projects that were running our claim bridges to shutdown all contracts in a secure and structured manner. As of now, all but 2 projects have sent tokens from the claim bridges to their own secure multisig wallets. We have provided all clients the Data required to distribute these tokens on the respective networks as well as a comprehensive tutorial on how to do so."

"Over the weekend, we have contacted the current companies that utilize DAO Farms (DinoX, Derace & Gamestarter) and informed them that we will be shutting down all smart contracts that are holding funds."

"Some of the older community members might still be familiar with our SAAS Staking solution Social Mining. A tool that helped coins to introduce non-custodial governance and staking system. Using our chain analysis system, we are able to provide users with DAO Power without having the need to lock them into any specific contracts."

"To ensure that we are setting the smart contract risk to 0%, we are closing the DAO Vaults. In the coming days, we will publish the article on Step 4 together with the exact date and time when we will close the DAO Vault and DAO Staking LP Vault. The lock and burn fee will be removed and the non-custodial staking system will take over as per the rules above."

"Using this 5 step plan, we will terminate all smart contract custodial risk from DAO Maker. We have been in contact with several custody providers and are negotiating discounted offerings for DAO Maker and all our clients. Additionally, to terminate all smart contract risk, we will also discuss with several security advisors and custodial companies the optimal manner to secure all vesting DAO Tokens as well as all of our clients’ vested tokens for both participants and the teams."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Dao Maker Exploit
Date Event Description
August 12th, 2021 Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost has been estimated at $7,000,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. CertiK Blockchain Security Leaderboard (Jun 1, 2021)
  2. No Title (Aug 21, 2021)
  3. No Title (Aug 21, 2021)
  4. DAO Maker price, DAO chart, market cap, and info | CoinGecko (Aug 21, 2021)
  5. Dao Maker Statement Thursday 12th Of August (Aug 21, 2021)
  6. DaoMaker - LinkedIn (Aug 21, 2021)
  7. Ten Reasons to Buy DAO (Aug 21, 2021)
  8. blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11, 2021)
  9. The Analysis Of The Daomaker Attack (Aug 29, 2021)
  10. Dear Users And Supporters Of Dao Maker (Sep 18, 2021)
  11. Closing The Pre Funding Contract Important (Sep 18, 2021)
  12. 5 Steps Plan Removing All Smart Contract Custody Risk By End Of The Month (Sep 18, 2021)
  13. Dao Maker Compensation Plan (Sep 18, 2021)
  14. Ethereum Transaction Hash (Txhash) Details | Etherscan (Sep 18, 2021)
  15. XXX | 0x1c93290202424902a5e708b95f4ba23a3f2f3cee (Sep 18, 2021)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Dao_Maker_Exploit&oldid=4169"