Web3 is Going Just Great

March 11, 2023

PeopleDAO loses $120,000 after payment spreadsheet is shared publicly

PeopleDAO is the successor to ConstitutionDAO, a group that made an ill-fated attempt to buy a copy of the US Constitution in November 2021. When the accounting lead for PeopleDAO accidentally shared an editable accounting spreadsheet link in a public Discord channel, an enterprising member of the Discord decided to take advantage. They inserted a row with their own wallet address for a 76 ETH (~$120,000) payment, then hid the row so it wouldn't display to the other viewers.

When team leads reviewed the spreadsheet to sign off on the payments, they didn't see the row, and there was no rollup showing total payments or anything else that would've helped them catch the malicious activity. The transactions were uploaded to a tool allowing asset transfers via CSV, and the required six out of nine multisig members approved the transaction.

PeopleDAO have reported that they're working with various security researchers to track the funds, and have reported the theft to the FBI and FTC.

Thread by PeopleDAO

October 27, 2022

French fry-themed DAO loses $2.3 million due to Profanity exploit

(attribution)

friesDAO describes itself as a "a decentralized social experiment where a crypto community builds and governs a fast food franchise empire via wisdom of the crowd". Welcome to the future.

Anyway, friesDAO seems to have fallen victim to the same Profanity vulnerability that has affected projects who used the tool to generate vanity wallet addresses. friesDAO wanted a wallet address beginning with 51D35 ("SIDES"), and as a result they opened themselves up to a major loss.

The project had previously announced that they had raised $5.4 million in funding, suggesting this attack drained almost half of the project's funds.

October 14, 2022

DAO Maker allegedly tries to dodge hack repayment promises

(attribution)

In August 2021, DAO Maker (not to be confused with MakerDAO) was hacked for $7.38 million. The stolen funds were taken from users, rather than a project treasury, and 5,521 people lost an average of $1,250 each. DAO Maker promised to compensate impacted users with a mix of the USDC stablecoin and USDR: an IOU token that they promised users would be able to redeem a year later for 110% of its dollar value.

Now that year mark is approaching, and a report from Rekt alleges that DAO Maker is trying to wiggle out of their promises through a governance vote, which they've framed as trying to "prevent major $DAO DUMP from USDR distributions". Meanwhile, they've deleted the post that explained the original distribution plan.

Most members of the DAO today were not affected by the attack, and so stand to benefit from not honoring the payout. One voting option suggests that these users "had their chance" to cash out their USDR, apparently ignoring that people were holding out for the promised 110% redemption.

Some whistleblowers have also claimed that team members have recently moved large quantities of DAO tokens to various wallets to vote. Some have also claimed that those team members recommended buying USDR tokens several months ago for below $1.10, as a safe arbitrage opportunity when they became redeemable for that amount.

"DAO Maker - Community investigates", Rekt

October 13, 2022

Blu3DAO faces claims that they've misused grant money to benefit founders

(attribution)

Blu3DAO is a DAO that describes itself as "focused on empowering women, non-binary people, and allies to learn, earn, and play in web3 towards financial freedom". The group was the target of some negative attention two days prior, after an incident in which several members of Blu3 leadership accused a man of harassment at the Devcon Ethereum conference.

On October 11, a crypto developer advocate wrote a thread about the group, starting by saying "Most of the members of Blu3DAO are great people working towards a good cause. Despite this, there have been things around their finances that I personally have found questionable. I've refrained from calling them out & it's something that has bothered me for a long time". She went on to allege that the group had solicited over $1 million in grant money from the Harmony community, misusing a personal relationship with a member of Harmony to continue to obtain grant funding while the group had paused grant allocations, and using funds to personally benefit the founders.

"I run an organization dedicated to advancing womens & nb ppls careers. And this type of grifting only hurts everyone," wrote the developer advocate in her Twitter thread. She also wrote, "In the coming days they'll post some fraudulent report clearing them from wrongdoing. They're running an elaborate scam with many wallets. One of them is literally married to a decision maker at harmony. Lmaooo. Fuck the[m] scammers"

Blu3DAO's founders responded to the allegations by claiming that they had only ever received $75,000 of the $1 million they were committed by Harmony, and that the funds were still in the DAO treasury. They also claimed that the Blu3 DAO members were never paid for their work, and that the money from Harmony was "flow-through reimbursements for scholars/hackers' travel expenses".

October 11, 2022

Harassment accusation at Ethereum conference triggers wave of online misogyny and racism

A Black woman attending the major Devcon Ethereum community event in Bogotá posted to Twitter a photograph of a man at the conference, writing, "Day 1 of Devcon and a group of us women got harassed by a gross guy! What did the Ethereum Foundation team do? Smiled and chatted with him for 10 minutes and let him go on his way! I feel horribly unsafe at this event. 👎 Take women seriously when they report harassment." Blu3DAO, a DAO with which she is associated and which describes its mission as "empowering women, non-binary people, and allies to learn, earn, and play in web3 towards financial freedom", later also tweeted that "we would like to formally address & acknowledge that an incident has occurred at Devcon", referencing the claim.

The man in the photo subsequently tweeted his version of events, in which he described encouraging the woman and her friends to jump up while taking a 3D photograph, and then gave them a thumbs-down gesture when they reacted in annoyance to him. He then claimed that they harassed him throughout the conference, by stalking him throughout the conference and posting his photo online with vague allegations of harassment.

The woman later elaborated on the event that had precipitated her report to Devcon staff, saying the man had been "verbally boo'ing and taunting us" at the photo booth.

It's a little unclear what actually happened at the event and who is at fault, something I don't intend to speculate on as a complete outsider. However, what's not unclear is the reaction from some people in the crypto community, who have used the incident (and their belief that the woman fabricated the harassment story) as evidence that all women, people of color, and "wokeness" are a blight on the crypto space. Various crypto enthusiasts have used the opportunity to denigrate what they view as a general issue of "feminazis", "purple hairs", or "SJWs" in crypto, and DAOs that aim to encourage gender minorities to engage with crypto. "Letting SJWs infiltrate into crypto was a huge mistake", wrote one person. "This is the woke crowd we didn't have to deal with last cycle. They came into crypto with their distorted vision of everything. [Crypto Twitter] got your back, mate."

August 22, 2022

Bank run leaves BendDAO with 5 ETH and a bunch of NFTs they can't sell

(attribution)

Honestly, who can blame BendDAO for failing to consider that the hype bubble around Bored Apes and other NFT projects might not last forever! "We underestimated how illiquid NFTs could be in a bear market when setting the initial parameters", the project wrote in a governance proposal.

BendDAO allows people to take out loans with their NFTs as collateral. However, if the floor price of those NFTs drops too far and the borrower doesn't pay back some of the loan to adjust its risk rating, other people can bid on the NFT.

The problem with this whole plan was revealed when lenders' confidence was shaken when it was reported that $5.3 million in Bored Apes were at risk of liquidation. Panicked users withdrew their assets from the platform, resulting in a bank run that drained the reserves to a low of 5 ETH (~$8,200). BendDAO had other assets, of course: the NFTs below the liquidation threshold. However, a lack of interested buyers willing to pay the minimum prices (95% of the collection floor price) left the project in a tough spot.

Since the extremely close brush with a liquidity crisis, the project has begun to consider a proposal that would reduce the threshold at which NFTs can be liquidated, reduce auction and liquidation protection periods, remove the 95% floor price bid requirement, and increase interest rates.

"Bank Run at NFT Lender BendDAO Prompts Attempt to Avert Another Liquidity Crisis", CoinDesk

August 18, 2022

Bribe Protocol team disappears after raising $5.5 million

(attribution)

The Bribe Protocol promised a DAO infrastructure tool where "token holders get paid to govern", and raised $5.5 million in funding in January to work on their extensive roadmap. However, the project leaders have effectively disappeared. There are no posts on the project's Twitter account since May, their Medium page has been untouched since March, and the Discord is a ghost town aside from the occasional message asking about the status of the project and the inevitable reply that the developers had rug pulled.

Bribe Protocol was incubated by Advanced Blockchain AG and Composable. Composable might ring a bell, because in February its pseudonymous head of product, 0xbrainjar, was revealed to be Omar Zaki, who had settled with the SEC over charges that he had misled investors while operating an unregistered investment advisement company and hedge fund. At the time, he wrote that "I do not want a mistake in my youth to cloud all of the team's efforts", though the SEC charge was filed less than three years prior, when Zaki was 21.

An employee of Figment Capital, one of the investors in Bribe Protocol, claimed that the project had formally shut down and returned 86% of the funds raised from institutional investors, though "retail took a huge L". However, this doesn't appear to have been publicly announced by the project.

Bribe Protocol is, of course, not to be confused with the other Bribe Protocol, a defi project that was abandoned in May 2021.

July 27, 2022

No more Dune or DAO for the Dune DAO

Dune script bible (attribution)

"DAO delusion was at its peak when the community went into this journey together", wrote SpiceDAO founder Soban "Soby" Saqib. SpiceDAO (named for the Dune drug) won an auction to buy a copy of the Dune script bible in January — at $3 million, far above its usual selling price, likely because it was public knowledge how much the DAO had raised. DAO members celebrated afterwards, excitedly anticipating an animated television series based on the book, apparently not realizing that buying a book (even for a very high price) does not confer rights to publish derivative works.

The DAO has stumbled along somewhat since its January victory, encountering issues with making the bible viewable to DAO members without breaking copyright laws, a diminishing treasury due to declining crypto prices, and controversy after Soby was linked to the Remilia Collective.

After all that, the project leader suddenly and apparently unilaterally announced a plan where members could redeem their SPICE for ETH, and stated that they would be removing project leaders, converting the DAO to a private company, and selling the Dune bible (likely at a major loss). It was nice knowing you, SpiceDAO.

July 23, 2022

Attacker makes off with $1.1 million after successful governance attack on the Audius web3 music platform

(attribution)

An attacker was able to create and pass a governance proposal to transfer out 18.5 million AUDIO tokens from the community treasury. They then successfully swapped these for 705 ETH (~$1.1 million).

Audius halted the token and smart contracts while they patched the bug, and brought the network back online shortly afterward. The attacker had found and exploited a vulnerability in the way the contracts were written which allowed them to rewrite the governance voting rules and delegate 10 trillion AUDIO tokens to themselves for voting purposes. They then used those tokens to pass the malicious proposal. The contracts had been audited by OpenZeppelin and Kudelski, but neither group caught the vulnerability. Audius stated that a plan for dealing with the loss of community funds was still under discussion.

"Audius Governance Takeover Post-Mortem 7/23/22", Audius blog
Tweet by CertikAlert

June 14, 2022

Merit Circle DAO votes to renege on deal with investor, provide 30% of what was owed

(attribution)

Members of the Merit DAO, a DAO operating in the play-to-earn space, voted on proposals renege on a deal signed with an early investor to the DAO, Yield Guild Games (YGG). The proposal argued that YGG had not "added value" to Merit (besides monetarily, of course).

YGG pointed out that the seed investor agreement did not require investors to "provide any specific value add services", and "there is no provision for Merit... to unilaterally cancel the contract". The core team replied to say that, "We would like to honor all agreements, however... the DAO holds the ultimate power". One minority voice in the community argued, "You can not just look back 6 months later and be angry with someone who took an early bet on you and say 'here is a refund'. We must uphold trust in compensating those who take early risks."

Surprisingly, YGG ultimately accepted a deal with the DAO rather than take it to court. The final decision did not entirely eliminate their promised returns, but still only granted them around 30% of what they would have been owed with the original deal (which would have been over $5 million).

In a Twitter thread, CEO of the 101.xyz web3 platform detailed the saga and wrote, "it's hard to see this as anything other than a horrendous stain on the reputation of web3... Merit Circle DAO may not need outside support anymore, but many other projects do. And now they've made it harder for earlier projects to get the capital they need. Investors might rightfully ask 'what if your DAO decides to fuck us'".

Twitter thread by Tim Connors

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.