DAO on Solana loses $230K after ‘attack proposal’ goes unnoticed

An attacker proposed and voted in favor of a proposal to send treasury funds to their own wallet. DAO members didn’t realize until it was too late

article-image

VAKS-Stock Agency/Shutterstock modified by Blockworks

share

The legwork behind DeFi hacks can be quite sophisticated. But an attacker targeting Synthetify last week only had to vote on — and pass — their own proposal to steal some $230,000 worth of crypto.

Synthetify was exploited by an attacker who made and voted for public proposals in the protocol’s decentralized autonomous organization. By the time other DAO members noticed something was amiss, the funds had already been sent to Tornado Cash. 

The situation represents a fresh example of a governance failure resulting in lost funds.

Synthetify is a Solana-native DEX that fell into debt following FTX’s meltdown late last year. In April, the project announced that it has plans to restructure.

Taking advantage of the DAO’s inactivity, the exploiter created ten identical-looking proposals and used their own tokens to reach the voting quorum. Nine of the proposals were empty, but the tenth contained code that sent around $230,000 in USDC, mSOL and stSOL to the attacker’s address, according to an X thread from the security auditing firm Neodyme. 

$89,669 remains in the DAO’s treasury, according to available data. 

The attacker’s exploit — conducted through the token vote-centric governance process, highlights the potential pitfalls facing DAOs that seek to ward off bad actors. 

In the past, attackers have exploited DAO treasuries with so-called flash loans, borrowing large amounts of governance tokens to pass malicious proposals.

Serhii Kravchenko, chief operating officer of the DAO infrastructure provider DeXe DAO Studio, said DAOs should build better notification systems for the proposal process and should invest more heavily in financial incentives that reward DAO members for their participation. 

Read more: DeFi security firm Quantstamp pilots hack protection program

Solana co-founder Anatoly Yakovenko wrote on X that DAOs should have veto councils that can prevent attacks caused by token voting.

“Any DAO with pure token voting is just waiting to be attacked,” he wrote.

Asked whether a veto council would have prevented Synthetify from being exploited — given that the attacking proposal went unnoticed until it had already passed through the governance process — Yakovenko echoed Kravchenko.

“Pay the council to pay attention!” Yakovenko wrote.

Updated Oct. 24, 2023 at 4:08 pm: Clarified for additional context.


Don’t miss the next big story – join our free daily newsletter.

Tags

Upcoming Events

Hilton Metropole | 225 Edgware Rd, London

Mon - Wed, March 18 - 20, 2024

Crypto’s premier institutional conference returns to London in March 2024. The DAS: London Experience: Attend expert-led panel discussions and fireside chats Hear the latest developments regarding the crypto and digital asset regulatory environment directly from policymakers and experts.

Salt Lake City, UT

WED - FRI, OCTOBER 9 - 11, 2024

Pack your bags, anon — we’re heading west! Join us in the beautiful Salt Lake City for the third installment of Permissionless. Come for the alpha, stay for the fresh air. Permissionless III promises unforgettable panels, killer networking opportunities, and mountains […]

recent research

Top Icon.png

Research

Osmosis thrived in H2 2023 on the back of increased DeFi activity deriving from recently launched Cosmos-related projects and better market conditions. With new value accrual mechanisms for the native token, Osmosis is well-positioned to continue its strong performance in 2024.

/

article-image

Though the opposing flow trend is likely to slow over time, industry watchers note, bitcoin fund assets could one day eclipse the $90 billion gold ETF space

article-image

Celestia had the first mover advantage. EigenDA has staked ether. What sets Avail apart?

article-image

Bitcoin moved 1% higher Monday morning in New York, Matrixport analysts say $62,000 could happen next month

article-image

It’s hard to believe right now that crypto — even with all of its flexibility and massive capabilities — could ever be like cash on the internet

article-image

Michael Saylor announced Monday morning that MicroStrategy bought 3k more bitcoin after the X account was compromised over the weekend

article-image

Plus, Pudgy Penguins grows its brand and a group of Autoglyphs sell for $14.5 million