Fries Fund DAO Profanity Address Exploit

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Fries Fund DAO Homepage/Logo

Fries Fund proposed to create a social experiment where they would purchase and run multiple fast food franchises governed by a DAO. Unfortunately, when setting up their smart contract, they took advantage of a service called Profanity to generate vanity wallet addresses. It was believed that the smart contract had subsequently been transfered to a multi-signature wallet, however this was not actually the case. An attacker was able to exploit the Profanity vulnerabilities to generate the same wallet themselves. Once they gained access to the wallet, they drained all connected smart contracts. The project lost millions of dollars. Some in the community ran a proposal to attempt to earn more funds, however this was ultimately not successful. The website of the project is presently offline and there don't appear to be any plans to relaunch it.

This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13]

About Fries Fund DAO

"we're buying fast food places - a decentralized social experiment where a crypto community builds and governs a fast food franchise empire"

"what's friesDAO doing? form a treasury gather USDC contributions (on Ethereum) from community donors and distribute $FRIES governance tokens. purchase franchises - negotiate with franchise owners and brands to buy well-known fast food stores using the friesDAO community treasury expand the empire create a reproducible framework for community governance to influence store improvements or expansions shape the utility participate in serious yet memeworthy discussions like prioritizing jobs for ourselves and getting NFT coupons for free food"

"FriesDAO raise closes with $5.4M! $FRIES claiming is expected to be this Tue/Wed.

As a Wyoming DAO LLC, a Notice of Intent to issue tokens is being filed this Monday.

An Operating Agreement has also been released, which recognizes all $FRIES holders as co-owners of the DAO."

The Reality

The deployer address for the smart contract had been generated using Profanity.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Fries Fund DAO Profanity Address Exploit
Date Event Description
February 20th, 2022 10:47:00 AM MST FriesDAO Funds Raised FriesDAO announces that they successfully raised $5.4m and provides paperwork for themselves as a Wyoming DAO LLC.
October 27th, 2022 1:17:00 PM MDT Twitter Post The Fries DAO team announces about the exploit on Twitter.
October 30th, 2022 11:52:00 AM MDT Web3IsGoingGreat The news is shared on the Web3IsGoingGreat website.
October 30th, 2022 12:02:59 PM MDT Reddit Parody Post A post is made about the incident on Reddit.
January 10th, 2023 2:01:00 PM MST Salvage Proposal A proposal is shared to potentially salvage the project.
October 27th, 2023 11:58:00 AM MDT Time of Exploit The reported time of the exploit on the blockchain.
December 6th, 2023 1:37:52 PM MST Last Site Capture The last time the site was captured online.

Technical Details

"On October 27th, 5:58PM UTC, friesDAO contracts were exploited by an attacker taking control of our own deployer address through a profanity attack vector. The hacker was able to drain the treasury of its USDC through the refund contract, drain the FRIES tokens in the staking contract, subsequently selling it all into the Uniswap pool. All transactions in the main attack with the refund contract were confirmed in the same block, then three hours later, the attacker came back for the staking pool"

"This address was generated for KCHUP (0x51D35a4cfea3e5fb387e467d31cc0c87f6038a) to have a vanity address (51D35 = “SIDES”) using Profanity, a local multithreaded GPU vanity address miner that was considered safe at the time of generation. Profanity has options to generate a deployer address such that the first contract it deploys will have the address desired.

However, ownership of the contracts had not been transferred to a different address such as the multisig after deployment in case of any changes or bugs needed, specifically due to the high risk of how the refund contract interacts with funds. Thus it was determined that it was safer to leave room for emergency changes and that considering our primary developer Slip was internally doxxed, that any attempt of theft would immediately implicate the developer. In fact the initial deployment of the refund contract had issues and had been redeployed to fix a calculation error"

"As time progressed and the contracts appeared to be working properly, the developer unfortunately forgot to transfer ownership of these contracts to the multisig and had assumed they were already transferred when in reality, the deployer address (0x6B20) still had full ownership and control over these contracts. Note that the deployer address’ private key never left the metamask and was never exported out in any external format including to the developer himself.

It is possible that the way the attacker got the private key was first by guessing that the deployer address was a vanity address through implication of the vanity “SIDES” contract address for KCHUP.

Subsequently, the attacker brute-forced the private key using profanity’s now known vulnerabilities, which dramatically reduces the possibilities of private keys due to flaws in generation and is susceptible to even consumer grade computing power."

"This is still an ongoing investigation and we invite members and the public to help investigate the on chain analysis as well. Because we are a US entity we have the obligation to file a report with the FBI’s IC3/cyber crimes unit for further assistance. Of course, we do also invite the hacker, if reading this, to anonymously return the funds to the multisig to mitigate our law enforcement efforts. We are also open to dialogue should you wish to reply to the friesDAO twitter account (however any funds should be returned directly to the multisig, anywhere else may be a scam)."

Total Amount Lost

The total amount lost has been estimated at $2,300,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?


"It has come to our attention that the refund deployer contract was exploited and managed to obtain FRIES tokens which were subsequently refunded for USDC and sold into the Uniswap pool. This is an ongoing investigation; exploiter is invited to contact us for dialogue."

"A post-mortem report will be released shortly, followed by a plan afterwards in how to move forward. We are still in the process of negotiation acquisitions so a successful deal is still possible with the right plan. Also, contract exploits are currently patched."

Ultimate Outcome

There was an attempt to revive the project by launching an NFT collection to raise funds. However, this does not appear to have been successful.

Attempt To Revive The Project

"It’s been a little under 2 months since the hack on FriesDAO took place, and things look grim for the future of the project. With there being around $60k left in the treasury, we think there should be a coordinated effort to re-raise funds for the treasury, and continue the original mission of opening a store - especially after we were so close before.

One of the original plans of the project was to launch an NFT collection that would have associated utility to any stores that were opened by FriesDAO. This started to be rolled out at the start, but the artwork and direction wasn’t well received and has since been placed on hold.

A group of community members (Sasha, Staggo, Williams, Marsyas – with oversight and under the advisement of SWO) have stepped forward to re-launch this initiative. With this initiative, Marsyas will work with Slip to help transitioning files and resources as he moves into a more involved role with FriesDAO.

We are proposing to use $25,000 USDC from the remainder of the treasury to roll out a brand new NFT collection."

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Stankoman comments on French fry-themed DAO loses $2.3 million due to Profanity exploit (Mar 16, 2023)
  2. https://fries.fund/ (Feb 5, 2024)
  3. @friesdao Twitter (Feb 5, 2024)
  4. friesDAO Post-Mortem - Google Docs (Feb 6, 2024)
  5. Exploiting The Profanity Flaw (Feb 6, 2024)
  6. Snapshot (Feb 23, 2024)
  7. friesDAO (Feb 23, 2024)
  8. @friesdao Twitter (Feb 23, 2024)
  9. @friesdao Twitter (Feb 23, 2024)
  10. French fry-themed DAO loses $2.3 million due to Profanity exploit (Feb 23, 2024)
  11. @web3isgreat Twitter (Feb 23, 2024)
  12. French fry-themed DAO loses $2.3 million due to Profanity exploit : CryptoCurrency (Feb 23, 2024)
  13. friesDAO (Feb 23, 2024)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Fries_Fund_DAO_Profanity_Address_Exploit&oldid=5481"