Crypto tumbler Tornado Cash suffers code exploit, putting funds at risk

A community member of the Tornado Cash cryptocurrency tumbler project has reported that malicious code was added to the Tornado Cash project on January 1, which has put at risk funds deposited into the service. According to the community member, a successful governance proposal two months ago resulted in a code change, but malicious JavaScript included in the change went unnoticed.

The code leaks private notes associated with deposits to a "private malicious server" owned by the person who initiated the code change. Private notes on Tornado Cash are the keys that allow a person to later withdraw the funds they have deposited into the mixing service.

This is not the first time DAO governance has gone wrong for Tornado — in May 2023, the project underwent a hostile takeover via malicious code that went unnoticed.

$2.7 million disappears from funds meant to compensate Hector Network investors

In July 2023, angry investors in the Hector Network project opted to "rage quit" — an option reserved by some defi projects that allows investors to vote to liquidate a project's remaining treasury and distribute it to token holders. The successful rage-quit vote in Hector's case came after the protocol lost $8 million in the Multichain disaster, although investors say that was only the final straw in a series of poor management choices and inflated salaries that saw the project treasury dwindle from over $100 million to around $16 million.

Now, another $2.7 million is gone after an apparent thief was able to exploit a smart contract that was intended to distribute payouts to Hector's token holders. They then swapped the tokens from the USDC stablecoin to ETH.

Investors in the project are furious, especially because various parties had warned Hector Network about apparently insecure practices. Hector Network's team, meanwhile, have not acknowledged the theft, although a law firm involved in the project liquidation promised a statement would be forthcoming.

Defunct BarnBridge reaches $1.7 million settlement with SEC

About six months after the SEC filed a complaint against the BarnBridge DAO, the group has agreed to disgorge almost $1.5 million in proceeds from their "SMART Yield bonds" — which the SEC also says attracted more than $509 million in investments. The two co-founders will also pay $125,000 each in civil penalties.

The SEC charged that the group had not registered their sale of the bonds as was required under US securities laws. BarnBridge shut down very shortly after the complaint was filed, without any input from its community, despite ostensibly being community governed.

Aragon DAO votes to sue its founding team

Aragon is a prominent project that creates DAO infrastructure. Ironically, its own DAO-based governance has been fraught, with the group facing a governance crisis in May over conflicts between the DAO and the Aragon Association (a small group of "stewards" for the project).

Now, after the Aragon Association decided without consulting the DAO to dissolve itself and wind down the project's governance tokens (while keeping some of the funds), the DAO has voted to sue the group. The DAO has accused the group of improperly taking investors' money to put it "into their new secretive company". They've allocated $300,000 to legal efforts.

Samudai treasury drained

The treasury of the Samudai DAO was apparently drained as an attacker compromised the project's multisignature wallets and the wallet belonging to the project's founder, Kushagra Agarwal. Altogether, around $1.25 million in ETH was stolen.

Agarwal sent a message to the thief shortly afterwards, offering a 10% "bounty" in exchange for the return of the rest of the funds. The attacker didn't seem to be interested, and in mid-January began tumbling the assets through the Tornado Cash cryptocurrency mixer.

Samudai didn't seem to publicly acknowledge the theft, even though they've posted on Twitter a few times since then. The organization had raised $2.5 million in pre-seed capital in June 2022.

Superdao to shut down

Superdao, a project aiming to assist communities in forming DAOs, has announced it will be closing its doors. It was blunt in its announcement: "it became clear that the crypto industry itself becomes much smaller than its initial ambition ('the new internet') and specialized tools for crypto companies are unlikely to produce venture-scale outcomes."

The project had raised $10.5 million in a 2021 seed funding round, and has said they intend to return remaining funds to its investors.

Nouns DAO fractures in $27 million split

A pixel art illustration of a figure with a white teacup for a head, wearing boxy pink sunglasses and a green sweaterNoun #848 (attribution)
Nouns DAO, one of the most prominent Ethereum DAOs, has split into two projects after holders of around 56% of the Nouns NFTs in circulation voted to "ragequit". This means that they have forked into a new DAO, taking 16,757 ETH (~$27.3 million) of the original DAO's treasury with them.

Nouns NFTs have been popular since the project's launch in 2021, and in mid-2022 enjoyed a floor price of over 100 ETH (then over $150,000). Now they tend to sell for around 35 ETH (~$57,000). The DAO has used its substantial treasury to fund a wide range of projects, from creating Nouns short films, to distributing eyeglasses to kids, to partnering with Bud Light for a Super Bowl commercial in 2022.

Now, however, more than half of the project has opted to leave, with some leavers citing flawed decisionmaking and lack of leadership. As for the new fork, some Nouns owners may choose to "ragequit" — that is, forfeit their NFT and cash out their portion of the treasury (around 35.5 ETH, or $57,850, apiece). Some arbitrageurs have been buying Noun NFTs for months, hoping to use this ragequit functionality to profit.

Party Parrot team prepares to "vote" to allocate themselves 80% of initial offering funds, around $60 million

You almost have to hand it to the Party Parrot team, they really figured out how to take advantage of ostensibly "decentralized" governance to line their own pockets. After raising $80 million in an "IDO" — initial DEX offering — in September 2021, the project is now embarking on a governance "vote" that would cash out the project treasury and distribute it to PRT token holders. However, the project team also unilaterally decided to unlock tokens held by the team in November 2022, meaning that the project now has access to 80% of the token supply — the same tokens that will decide the outcome of the vote.

If the vote passes, and it likely will given the massive supply of tokens available to the team, the team will have just decided to distribute around $60 million in remaining funds to themselves, leaving $12 million to the token holders.

One commenter on the proposal described the move as "a pure financial crime". Another wrote, "The community has already explained in painstaking detail why we're not interested in this. The pro-rata value is an extreme lowball and fails to account for many of the team's misuses of the treasury without the community's consent. The team also prematurely unlocked the team and VCs' vesting tokens, so they are the majority token holders, making this vote meaningless and a total farce."

Hector Network begins shutdown after Multichain collapse

Hector DAO, the governing body behind the Hector Network, voted to liquidate the project's $16 million treasury and distribute it to tokenholders, effectively putting an end to the project.

On July 14, a community manager wrote on Discord that "Hector Network ha[d] suffered significant damage to its ability to operate" after the Multichain collapse, and that the project faced a choice between liquidating the treasury and winding down or migrating to a new blockchain and trying to rebuild. The community chose the former.

According to a post on Discord, the winding-down process will likely take 6 to 12 months as the project appoints a liquidator, legal counsel, and auditor.

Angry over the Azuki Elementals fiasco, Azuki holders form a DAO and immediately get exploited

After paying nearly $40 million for a new set of Azuki NFTs, the Azuki community is pissed that they were "dilutive" near-copies of the original Azuki collection. To fight back against the perceived "blatant scamming" by the Azuki creators, holders claiming to have collectively spent millions on Azuki projects formed an Azuki DAO. The DAO created a governance token, $BEAN, which it distributed to Azuki NFT owners. The DAO then embarked on a vote to hire a lawyer, sue Azuki's creator, and demand a refund of the 20,000 ETH (~$38 million) collectively spent on Elementals NFTs.

However, shortly after the DAO was created, the governance token was exploited. Attackers were able to take advantage of a flaw in the smart contract, with two exploiters stealing around 35 ETH (~$69,000). The DAO paused the contract to prevent further thefts.

File this one under "adding insult to injury".

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.