DAO on Solana loses $230K after ‘attack proposal’ goes unnoticed

An attacker proposed and voted in favor of a proposal to send treasury funds to their own wallet. DAO members didn’t realize until it was too late

article-image

VAKS-Stock Agency/Shutterstock modified by Blockworks

share

The legwork behind DeFi hacks can be quite sophisticated. But an attacker targeting Synthetify last week only had to vote on — and pass — their own proposal to steal some $230,000 worth of crypto.

Synthetify was exploited by an attacker who made and voted for public proposals in the protocol’s decentralized autonomous organization. By the time other DAO members noticed something was amiss, the funds had already been sent to Tornado Cash. 

The situation represents a fresh example of a governance failure resulting in lost funds.

Synthetify is a Solana-native DEX that fell into debt following FTX’s meltdown late last year. In April, the project announced that it has plans to restructure.

Taking advantage of the DAO’s inactivity, the exploiter created ten identical-looking proposals and used their own tokens to reach the voting quorum. Nine of the proposals were empty, but the tenth contained code that sent around $230,000 in USDC, mSOL and stSOL to the attacker’s address, according to an X thread from the security auditing firm Neodyme. 

$89,669 remains in the DAO’s treasury, according to available data. 

The attacker’s exploit — conducted through the token vote-centric governance process, highlights the potential pitfalls facing DAOs that seek to ward off bad actors. 

In the past, attackers have exploited DAO treasuries with so-called flash loans, borrowing large amounts of governance tokens to pass malicious proposals.

Serhii Kravchenko, chief operating officer of the DAO infrastructure provider DeXe DAO Studio, said DAOs should build better notification systems for the proposal process and should invest more heavily in financial incentives that reward DAO members for their participation. 

Read more: DeFi security firm Quantstamp pilots hack protection program

Solana co-founder Anatoly Yakovenko wrote on X that DAOs should have veto councils that can prevent attacks caused by token voting.

“Any DAO with pure token voting is just waiting to be attacked,” he wrote.

Asked whether a veto council would have prevented Synthetify from being exploited — given that the attacking proposal went unnoticed until it had already passed through the governance process — Yakovenko echoed Kravchenko.

“Pay the council to pay attention!” Yakovenko wrote.

Updated Oct. 24, 2023 at 4:08 pm: Clarified for additional context.


Get the news in your inbox. Explore Blockworks newsletters:

Tags

Decoding crypto and the markets. Daily, with Byron Gilliam.

Upcoming Events

Old Billingsgate

Mon - Wed, October 13 - 15, 2025

Blockworks’ Digital Asset Summit (DAS) will feature conversations between the builders, allocators, and legislators who will shape the trajectory of the digital asset ecosystem in the US and abroad.

Industry City | Brooklyn, NY

TUES - THURS, JUNE 24 - 26, 2025

Permissionless IV serves as the definitive gathering for crypto’s technical founders, developers, and builders to come together and create the future.If you’re ready to shape the future of crypto, Permissionless IV is where it happens.

Brooklyn, NY

SUN - MON, JUN. 22 - 23, 2025

Blockworks and Cracked Labs are teaming up for the third installment of the Permissionless Hackathon, happening June 22–23, 2025 in Brooklyn, NY. This is a 36-hour IRL builder sprint where developers, designers, and creatives ship real projects solving real problems across […]

recent research

Nillion_DeSci_Report_Template.png

Research

Nillion’s Monad Integration is poised to catalyze the next phase of DeSci’s evolution by eliminating key privacy bottlenecks. This synergy allows researchers, institutions, and DAOs to exchange sensitive data and insights securely while managing governance and payments onchain.

article-image

Bitcoin has broken its previous price record of $109,026 set on Jan. 19, 2025

article-image

The SEC filed the suit on Tuesday night, alleging that some Unicoin executives made “false and misleading statements” and violated securities laws

article-image

VanEck’s Pranav Kanade told Blockworks that it doesn’t plan to launch a similar fund for other ecosystems at this time

article-image

What the history of global reserve currencies says about crypto’s future

article-image

A memecoin community delivered on a brick-and-mortar pop-up store

article-image

Despite continued disagreements within the GOP about the extent of the spending cuts, Trump said the House is unified