DAO Maker Suffers $7 Million Exploit

An attacker stole $7 million from DAO Maker's smart contract and immediately converted the assets from USDC to ETH.

DAO Maker Suffers $7 Million Exploit
Shutterstock cover by REDPIXEL.PL

Key Takeaways

  • DAO Maker was exploited today. An attacker stole $7 million after discovering a smart contract vulnerability.
  • The attacker converted the loot to 2,261.45 ETH to prevent funds from getting blacklisted.
  • The DAO token has plummeted 15% following the incident.

Share this article

Crypto launchpad DAO Maker was exploited for $7 million worth of USDC today. 

DAO Maker Suffers Vulnerability 

The fundraising platform DAO Maker was exploited today, with an attacker stealing more than $7 million from thousands of its user accounts.

Analyst firm PeckShield told Crypto Briefing that the attack was the result of a “dumb bug” in one of its smart contracts. The vulnerability may have given an unknown third party the privilege to transfer funds out. 

Announcing the incident in a post-mortem report, DAO Maker CEO Christoph Zaknun said:

“We must announce that in the early hours of August 12th (approx. 1 AM UTC) DAO Maker faced malicious use of one of our wallets with access to admin privileges.”

The attacker converted the loot to 2,261.45 ETH and sent it to an Ethereum wallet to prevent the funds from getting blacklisted.

Several users in DAO Maker’s Telegram group reported that their USDC balances had turned to zero earlier this morning.

Initial analysis of the event suggests that USDC stablecoins deposited by users within a particular smart contract were affected. Currently, all deposits in the contract have been deactivated.

In the post-mortem report, DAO Maker reported that a total of 5,251 users had been affected, with losses averaging $1,250 per user. 

DAO Maker conducts fundraisers for new crypto projects on Ethereum. Prior to the crowd sales, the platform requires users to pre-fund their wallets with USDC tokens in advance to avoid gas wars. Once the allocation is made, USDC automatically gets deducted from the pre-funded account.

Analysts say the exploiter was able to call the withdraw functions as the contract lacked adequate security checks. They have also pointed out that exploited contract was not verified on Etherscan.  The lack of verification is usually considered a red flag and suggests the team was negligent in their work.

The attack came shortly after the project founders were reporting rising volumes for their launchpad, DAO Pad. The team had been planning to issue fully regulated tokenized stocks.

DAO Maker’s native token has also suffered as a result of the incident. The DAO token has declined by about 15% today, decreasing from $1.95 to $1.70 at press time, according to CoinGecko. The lack of price disruption may be because single staking vaults consisting of native tokens were safe from the attack.

Share this article