The attacker was able to manipulate the oracle price to show that USTRY was priced at $100 (rather than its actual trading price of around $1.05). Then, they borrowed against the overvalued asset, withdrawing XLM and USDC priced at $10.2 million. However, around 48 million of the stolen XLM (~$7.2 million) were frozen.
YieldBlox lending pool drained of $10.2 million
A lending pool operated by YieldBlox on the Stellar blockchain was emptied of around $10.2 million in an oracle manipulation attack on the Reflector oracle supplying prices for the USTRY/USDC market. Reflector has said that there was no flaw with their oracle, and that market illiquidity caused the problem. "Reflector quoted correct prices. ... but it's impossible to quote adequate prices for a market fully handled by a single market-maker with almost zero trading activity."
AssangeDAO accused of rug pull after transferring treasury to German foundation
AssangeDAO was a project created to fundraise for the legal defense of WikiLeaks founder Julian Assange, who has been fighting espionage and computer intrusion charges for over a decade, and who was imprisoned in the United Kingdom for several years. The DAO raised around $55 million, and when Assange reached a plea deal and was sentenced to time serve, around $10 million remained.
This $10 million was later sent to a German non-profit foundation called the Wau Holland Foundation, which has also been fundraising and managing funds relating to Assange's legal defense. However, this transfer raised serious concerns among some members of the DAO who say they've effectively been cut out of decisionmaking, that the funds were transferred without their approval, and allege the treasury was mismanaged and crashed in value as a result.
Hacktivist, bitcoin core developer, and AssangeDAO organizer Amir Taaki accused fellow AssangeDAO organizer: "Harry Halpin you should be honest and direct with the people here. You believe the money should be kept in a foundation controlled by your people with Julian. You do not respect the community or believe in the DAO."
Compound DAO passes $24 million proposal in alleged governance attack
A controversial proposal in front of the Compound Finance DAO has narrowly passed, granting 499,000 COMP (~$24 million, and amounting to 5% of the project's treasury) to an outside group. A Compound Finance whale, "Humpy", proposed the vote to allocate the tokens to a protocol created by a group called the "Golden Boys", which Humpy also leads. The vote was the third attempt to allocate tokens to the Golden Boys' group, after two unsuccessful votes in May and earlier in July.
Humpy has previously been accused of governance attacks on other protocols, including Balancer and SushiSwap.
Prior to the proposal's passage, some Compound Finance DAO members raised objections. "In my personal opinion, the actions of Humpy and the Golden Boys can be considered a governance attack if they persist in their attempts to take funds from the protocol in clear opposition to the will of all other Compound DAO delegates," stated Compound Finance security adviser Michael Lewellen, who also described the proposal as "a malicious attempt to steal funds from the protocol".
Afterwards, Lewellen wrote that "OpenZeppelin is working with all active delegates and Compound contributors to assess our options for protecting the protocol. We see serious risks to the future decentralization of the DAO as a result of Proposal 289 passing and so we are exploring options to mitigate or reverse this outcome."
- "Compound DAO asleep at the wheel as $25M governance 'attack' passes", Protos
- "$24 million Compound Finance proposal passed by whale over DAO objections", The Block
- "Trust Setup for DAO investment into GoldCOMP", Compound Finance discussion
- "Governance Security Notice: goldCOMP Proposal 247", Compound Finance discussion
SushiSwap team votes to give themselves control of much of the "decentralized" project's treasury
The leadership team behind SushiSwap, a popular defi platform, submitted proposals for a DAO governance vote that would transfer control of around $40 million from the DAO to a small centralized organization called "Sushi Labs". That organization would also receive all future airdrops awarded to SushiSwap. According to the proposal, this was motivated by a desire for efficiency and faster development.
The "yes" votes are currently in the lead with a 63% margin. The most yes votes came from sushigov.eth, the official SushiSwap team address, which also created the proposal. It is the first time that address has ever participated in a governance proposal.
The 5.5 million yes votes from the team wallet, plus another 3.1 million delegated from other community members, were enough to push the vote to majority support. A former SushiSwap contributor has also alleged that the SushiSwap team was manipulating the vote with additional wallets.
On Twitter, Sushi's "Head Chef" claimed that he had consulted with lawyers and then authorized the voting activity out of fear of an "extortative [sic] governance attack attempt".
Curio RWA project suffers $16 million exploit
Curio, a crypto project that creates tokens based on "real-world assets" (RWAs) like cars, watches, wine, and other goods, has suffered an attack that saw around $16 million drained from the project's funds.
A bug in the project's Ethereum smart contract enabled an attacker to mint 1 billion of the project's CGT governance token. Although the tokens were notionally priced at around $40 million, the loss to the project was estimated at closer to $16 million.
Curio DAO announced that they intended to compensate users affected by the theft over a year-long period.
Crypto tumbler Tornado Cash suffers code exploit, putting funds at risk
A community member of the Tornado Cash cryptocurrency tumbler project has reported that malicious code was added to the Tornado Cash project on January 1, which has put at risk funds deposited into the service. According to the community member, a successful governance proposal two months ago resulted in a code change, but malicious JavaScript included in the change went unnoticed.
The code leaks private notes associated with deposits to a "private malicious server" owned by the person who initiated the code change. Private notes on Tornado Cash are the keys that allow a person to later withdraw the funds they have deposited into the mixing service.
This is not the first time DAO governance has gone wrong for Tornado — in May 2023, the project underwent a hostile takeover via malicious code that went unnoticed.
$2.7 million disappears from funds meant to compensate Hector Network investors
In July 2023, angry investors in the Hector Network project opted to "rage quit" — an option reserved by some defi projects that allows investors to vote to liquidate a project's remaining treasury and distribute it to token holders. The successful rage-quit vote in Hector's case came after the protocol lost $8 million in the Multichain disaster, although investors say that was only the final straw in a series of poor management choices and inflated salaries that saw the project treasury dwindle from over $100 million to around $16 million.
Now, another $2.7 million is gone after an apparent thief was able to exploit a smart contract that was intended to distribute payouts to Hector's token holders. They then swapped the tokens from the USDC stablecoin to ETH.
Investors in the project are furious, especially because various parties had warned Hector Network about apparently insecure practices. Hector Network's team, meanwhile, have not acknowledged the theft, although a law firm involved in the project liquidation promised a statement would be forthcoming.
Defunct BarnBridge reaches $1.7 million settlement with SEC
About six months after the SEC filed a complaint against the BarnBridge DAO, the group has agreed to disgorge almost $1.5 million in proceeds from their "SMART Yield bonds" — which the SEC also says attracted more than $509 million in investments. The two co-founders will also pay $125,000 each in civil penalties.
The SEC charged that the group had not registered their sale of the bonds as was required under US securities laws. BarnBridge shut down very shortly after the complaint was filed, without any input from its community, despite ostensibly being community governed.
- "BarnBridge DAO Agrees to Stop Unregistered Offer and Sale of Structured Finance Crypto Product", Securities and Exchange Commission press release [archive]
Aragon DAO votes to sue its founding team
Aragon is a prominent project that creates DAO infrastructure. Ironically, its own DAO-based governance has been fraught, with the group facing a governance crisis in May over conflicts between the DAO and the Aragon Association (a small group of "stewards" for the project).
Now, after the Aragon Association decided without consulting the DAO to dissolve itself and wind down the project's governance tokens (while keeping some of the funds), the DAO has voted to sue the group. The DAO has accused the group of improperly taking investors' money to put it "into their new secretive company". They've allocated $300,000 to legal efforts.
- "A DAO is funding a lawsuit against its own founding team", The Block [archive]
- "Aragon DAO votes to fund legal action against its founders", CoinTelegraph [archive]
- Proposal to sue the Aragon Association
Samudai treasury drained
The treasury of the Samudai DAO was apparently drained as an attacker compromised the project's multisignature wallets and the wallet belonging to the project's founder, Kushagra Agarwal. Altogether, around $1.25 million in ETH was stolen.
Agarwal sent a message to the thief shortly afterwards, offering a 10% "bounty" in exchange for the return of the rest of the funds. The attacker didn't seem to be interested, and in mid-January began tumbling the assets through the Tornado Cash cryptocurrency mixer.
Samudai didn't seem to publicly acknowledge the theft, even though they've posted on Twitter a few times since then. The organization had raised $2.5 million in pre-seed capital in June 2022.
- Tweet by CyversAlerts [archive]
- On-chain message from Kushagra Agarwal [archive]