DAO on Solana loses $230K after ‘attack proposal’ goes unnoticed

  blockworks.co 19 m

The legwork behind DeFi hacks can be quite sophisticated. But an attacker targeting Synthetify last week only had to vote on — and pass — their own proposal to steal some $230,000 worth of crypto.

Synthetify was exploited by an attacker who made and voted for public proposals in the protocol’s decentralized autonomous organization. By the time other DAO members noticed something was amiss, the funds had already been sent to Tornado Cash.

The situation represents a fresh example of a governance failure resulting in lost funds.

Synthetify is a Solana-native DEX that fell into debt following FTX’s meltdown late last year. In April, the project announced that it has plans to restructure.

Taking advantage of the DAO’s inactivity, the exploiter created ten identical-looking proposals and used their own tokens to reach the voting quorum. Nine of the proposals were empty, but the tenth contained code that sent around $230,000 in USDC, mSOL and stSOL to the attacker’s address, according to an X thread from the security auditing firm Neodyme.

$89,669 remains in the DAO’s treasury, according to available data.

The attacker’s exploit — conducted through the token vote-centric governance process, highlights the potential pitfalls facing DAOs that seek to ward off bad actors.

In the past, attackers have exploited DAO treasuries with so-called flash loans, borrowing large amounts of governance tokens to pass malicious proposals.

Serhii Kravchenko, chief operating officer of the DAO infrastructure provider DeXe, said DAOs should build better notification systems for the proposal process and should invest more heavily in financial incentives that reward DAO members for their participation.