$7 000 000 USD

AUGUST 2021

GLOBAL

DAO MAKER

DESCRIPTION OF EVENTS

"Venture Capital Re-Created for the Masses - DAO Maker creates growth technologies and funding frameworks for startups, while simultaneously reducing risks for investors." "DAO Maker is a comprehensive suite of products shaped to cater to the growing needs of the crypto community and retail investors. The platform aims to be the go-to platform for retail venture investing and to improve the quality of millions of lives."

 

"We are pioneering organized decentralized ecosystems that efficiently leverage human capital with suitable value and benefits for blockchain & crypto projects and their community. The DAO Maker builds an ecosystem that enables any project’s community to effectively leverage their mutual resources for the betterment of their token. Each community members project-enhancing actions are rewarded based on the value-add assessed by the community of token holders. DAO Maker’s flagship is Social Mining, a system that offers the most advanced stem into a DAO. Social mining allows a project’s community to become a thriving self-managed organization of active investors. Whenever a token holder makes actions that advance the success of the project, the community votes on the value he/she deserves for that action. Such a system combats the socioeconomic Free-Loader Problem."

 

"DAO Maker Token is the governance token of the DAO Maker Ecosystem built on Ethereum, allowing holders to govern the ecosystem. DAO Maker held a series of Dynamic Coin Offerings since late 2020, raising over 8 million USD. The DAO Maker Token aims to create a decentralized ecosystem, enabling a go-to platform for retail venture investing in equity and tokens." "Lock your DAO tokens or DAO- USDC Uniswap V2 liquidity pool tokens to earn rewards from Reward Pools, get ecosystem incentives, qualify for Sales allocations and participate in Governance."

 

"The SHO contract has always been a hotspot for potential risk, as it was used for every single SHO. This is the precise reason why DAO Maker put in place certain contingencies, such as capping the maximum individual deposit amount to $10,000 USDC." "The Vault contracts themselves are standard farm contracts and were successfully audited by 4 different firms."

 

"Regretfully, we must announce that in the early hours of August 12th (approx. 1 AM UTC) DAO Maker faced malicious use of one of our wallets with access to admin privileges." "The admin's private key was used to grant the attacker's contract permission to withdraw funds from the exploited contract." "The cybercriminal, after tentatively testing this exploit and managing to steal 10,000 USDC, then proceeded to quietly make 15 more transactions. In this manner, the hacker was able to siphon approximately $7M, until our security team was able to trace, contain and stop the drain of funds. A total of 5251 users were affected, losing $1250 USD on average per user."

 

The exploit transaction: "0x054e sends a transaction to grant the admin role to 0x0eba of the wallet (0x41b8). Then 0x0eba grants the “DAO contracts” role to 0x1c93. At last, the 0x1c93 (XXX) invoke the function withdrawFromUser to transfer the money to the XXX contract. Interesting, the victim 0x41b8 is created by 0x054e. In summary, 0x054e creates the victim 0x41b8 wallet. Then 0x054e grants the admin role to 0x0eba, who further grants the “DAO Contracts” role to 0x1c93. At last 0x1c93 withdraws the money from the victim."

 

The "attack resulted in 7M$ assets lost." "Fortunately, users with up to $900 have remained completely unaffected."

 

"We decisively moved the unaffected funds to a brand-new secure wallet, while users are still able to withdraw their funds unimpeded, should they choose to do so."

 

"Cipher Blade, a leading blockchain forensics expert company, has been contracted and is doing everything possible to track down the criminal and return the stolen funds. They have already identified an implicated Binance account and are closely collaborating with Etherscan to learn more about the hackers' whereabouts. Additionally, all exchanges have been already informed of the hackers' wallet."

 

"[W]e continue the investigation and have also informed EU law enforcement. Further, a forensics team has been on-boarded and we’ve received gracious support from several cyber security professionals in the space. We will continue to pursue the hacker."

 

"Support of V1 Vaults will be ending after Infinity Pad SHO." "Presently, the SHO contract has been secured in order to prevent situations like this from occurring in the future."

 

"We want to assure our investors and supporters — the Vaults are safe and the hack has had no detrimental impact on our business. Absolutely no one, not even us, has the ability to upgrade the code or remove any DAO from the Vaults."

 

"If you are one of the affected users of the recent exploit of the USDC pre-funding contract, we sincerely apologize for the inconvenience to you directly. We have made changes to the security protocol to drastically improve key protection, as well as committed to continued efforts in upgrading our smart contract architecture."

 

"500 USDC will be airdropped to all affected users’ wallets without delay." "The average user lost between 1,000 to 1,500 USDC. Therefore most affected users will instantly be refunded 50% to 30% of their loss on the 19th of August prior to the next SHO." "Thus, over 35% of the total loss amount will be refunded immediately."

 

"Given that the net exploited amount was $7M, the amount due (after the $2.5M deposit to users’ escrow) equals $4.5M. This $4.5M will be provided to users in exactly one year’s time in the form of DAO tokens at the future market price. The $4.5M in DAO tokens will be taken from the “customer incentives” tranche, which has 10% of the total DAO supply."

 

"On September 8, we will airdrop USDR tokens, which represent the future redemption given in 1 year. Each USDR token is equal to 1.1 worth of DAO, 1 year after it is airdropped. On redemption day, September 8, 2022, USDR tokens will be deployable to a smart contract in return for a pegged rate of 1.1 worth of DAO for every USDR. All received USDR will be burned at that point."

 

"The redemption plan is designed to let the operations proceed smoothly. All affected users are given USDC upfront to participate in all immediate SHOs. They also have the option to withdraw the USDC." "Regardless of the outcome of this pursuit, we believe the redemption plan outlined above will allow all affected users to proceed as if nothing happened."

 

"Over the next five days, DAO Maker will devise a set of solutions to alleviate the incurred damages and work in full force to bring the hacker to justice through the massive forensics investigation undertaken. All affected users will be informed via email and on their DAO log-in portal."

 

"We’ve been working all weekend to minimize the effect of the four hacked claim bridges (Ternoa, DeRace, Showcase, and CoinsPaid). During the night we have worked with projects Market Makers to manage liquidity on and off-chain to mitigate the total damage caused to the community of the projects. The price of most assets recovered due to this as well with various buy-backs and operations."

 

"Further, we secured 7M USD worth of tokens of other clients that have been returned to cold storage. We have managed to ensure that all our clients will be offered discounted service offerings from Copper, one of the most reputable custody providers in the industry."

 

"We shared our 5 step plan to eliminate all smart-contract custodial risks from DAO Maker. Since then we have closed all vesting contracts and their portals. Participants of vested SHOs will from now on receive their tokens directly via their respective clients." "We are going to introduce a Non-Custodial staking system that is currently being tested." "Pre-funding contracts are not going to be used anymore due to our commitment to indefinitely improve the security of users’ funds."

 

"Within 24 hours after the hack, our team collaborated with 95% of all projects that were running our claim bridges to shutdown all contracts in a secure and structured manner. As of now, all but 2 projects have sent tokens from the claim bridges to their own secure multisig wallets. We have provided all clients the Data required to distribute these tokens on the respective networks as well as a comprehensive tutorial on how to do so."

 

"Over the weekend, we have contacted the current companies that utilize DAO Farms (DinoX, Derace & Gamestarter) and informed them that we will be shutting down all smart contracts that are holding funds."

 

"Some of the older community members might still be familiar with our SAAS Staking solution Social Mining. A tool that helped coins to introduce non-custodial governance and staking system. Using our chain analysis system, we are able to provide users with DAO Power without having the need to lock them into any specific contracts."

 

"To ensure that we are setting the smart contract risk to 0%, we are closing the DAO Vaults. In the coming days, we will publish the article on Step 4 together with the exact date and time when we will close the DAO Vault and DAO Staking LP Vault. The lock and burn fee will be removed and the non-custodial staking system will take over as per the rules above."

 

"Using this 5 step plan, we will terminate all smart contract custodial risk from DAO Maker. We have been in contact with several custody providers and are negotiating discounted offerings for DAO Maker and all our clients. Additionally, to terminate all smart contract risk, we will also discuss with several security advisors and custodial companies the optimal manner to secure all vesting DAO Tokens as well as all of our clients’ vested tokens for both participants and the teams."

DAO Maker offers a comprehensive suite of DeFi products. One of the admin keys was exploited, in order to steal the funds of users stored in the platform.

 

Ultimately, the team came up with a recovery plan for all affected users, and also restructured the smart contract such that no funds were under their custody, eliminating the centralized incentive.

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.