Decentralized Autonomous Organizations, or DAOs, are blockchain groups that are supposed to be democratic. They are the part of web3 that gets people very excited: They can, boosters say, replace corporate structures and create a system where people have votes according to how much work they put into the DAO.
This sounds OK in theory, but a group called Build Finance DAO just suffered a coup in which one person amassed enough tokens to get a vote passed, then voted to give themselves full control of the DAO, then, using this power, took all of the money. In a sense, the DAO did replace a corporate activity with its own version: the hostile takeover.
Build Finance DAO announced through Twitter on Monday that a "malicious actor" had accomplished a "hostile governance takeover." The person had taken over the token contract, governance contract, minting keys, and the project's treasury. A wallet named Sudo.eth made the initial proposal to put themselves in charge and it failed after they were voted down in the project's Discord, but then transferred their tokens to another wallet and offered the proposal once more. The proposal passed this time because no alert was issued on Discord that a new proposal had been made, The Block reported.
The coup drained nearly $500,000 worth of tokens from the project.
“The attacker was able to access funds in this way due to the structure of the Build DAO governance model. It is believed that the attacker took extra steps to stop evidence of their activities by way of disabling the gitbooks and the proposal bot,” Build Finance DAO tweeted.
Thanks to their move to disable bots that would have alerted the community to the new proposal, it eventually passed. With sole control over the DAO, this person minted 1,107,600 BUILD (the DAO’s token) and proceeded to drain the DAO's liquidity pools on decentralized exchanges Balancer and Uniswap. They then seized 130,000 METRIC tokens from the DAO's treasury, sold those, then minted another 1 billion BUILD, and went on to sell everything they could.
Build Finance, a self-styled "venture builder," sought to help finance and manage crypto projects with its BUILD token: in exchange for being supplied BUILD tokens, the projects would adopt the token and help grow demand for it. They've funded projects such as a decentralized exchange aggregator (Metrix Exchange), a lending and borrowing platform (Vortex), and a token pegged to the price of gold (Basis Gold). As of August 2021, the treasury sat on $522,536 worth of assets in half a dozen tokens, including BUILD.
The wallet where the drained funds went appears to have gone silent two days ago after sending 163 ETH to Tornado Cash, a service that lets users obscure Ethereum transactions. As for what happens next with the DAO, it’s not clear how the project can recover.
"It is with deep regret that we have to inform the community of this total and irrecoverable loss of BUILD DAO treasury assets through the deeds of one malicious actor," Build Finance added later in the thread. "Team members have made direct contact with the attacker but there seems to be no appetite for a dialogue, much less any reparations."