Details of the $7 million DAO Maker hack in exclusive interview with DAO Maker CEO Cristof Zaknun
This summer set a record for the number of DeFi projects hacks. On August 12, DAO Maker was hacked and attackers withdrew $7 million. We took an exclusive interview with DAO Maker CEO Cristof Zaknun and went through the details of what happened.
— What exactly happened?
It was a wallet exploit. We have 2 different types of contracts. Vesting and vault contracts, where people put DAOs, and Essential contracts. The Essential contract was always the one we thought was most likely to be compromised. That’s why we made sure the deposit was relatively low, and that’s why most people didn’t lose all their money. The reason, is that in order to do a stronghold offerring, we have to take all the winners who won in SHO and send that to the blockchain. The only way not to do that is to make it so that everyone who wants to participate in the DAO Maker has to personally sign the order. That means we have 5,000 people on Essential trying to enter the lottery. And if everyone signed a transaction, it would spam the network and cause about a quarter of a million Ether users and gas commissions.
So we decided: okay, we should add multi-signatures to it and try to make it as secure as possible. Minimize the maximum deposits in contracts so that people are not too eager to hack into them. We knew that already in March.
Every time there is a sale, we have to take that wallet and do a lot of transactions with it. After all, some computer was responsible for breaking that code. We have two teams trying to investigate exactly who was responsible. We’re double-checking our own employees, checking their laptops. Not only that, but we’re also checking the on-chain data. We also have a lead towards the Binance account, and a lead on Etherscan.
What happened, was two multi-signature wallets were compromised. Which allowed the hacker to create this Essential contract. Which said — these are the winners and they won a thousand dollar allocation. And if you win a SHO, then a $1000 dollars will be pulled out of your deposit, into the wallet of our customers, of the projects of DAO Maker. For example, we have DinoX recently, and if you won it, then the smart-contract will take the $500 dollars and send it to DinoX. Once they had both wallet-addresses, compromised for this process, they were able to create multiple SHO’s:
The First SHO they pulled out everybody who deposit the most amount of money. We had a max cap of $10k dollars, that you can put into the contract. Because we knew that there is no point to put yourself more at risks. There were about 30 people, who had $10k dollars in there. So he made the first SHO with 30 people and $10k and pulled that out.
And then he made a Second one with 100people/$5k dollars. And then he went to the masses, which had $1000 — 1500.
The good news is — the majority of people who invest and pre-deposit in DAO Maker, have less than $1000 in the deposit. And they were not affected at all. So if anybody deposited less than $900 into deposit contract, then your money is still there. It’s safe. You can withdraw it whenever you want. We changed all the signatures, and we added also Copper and discussed the Coinbase Custody, to provide the additional futures and multi-signature with more professional companies. So that’s the summary of what happened.
— Why people with less than $1000 deposit were not affected?
I assume it’s because when you want to write data within the smart-contract, you cannot give more than 250 lines of code. So that will be 2 or 50 wallets. So the hacker would first try to get to the bigger wallets, in case he gets caught in the meantime. We just cut him off, before we could take more damage.
Since we have a lot of users, it takes amount of time, to write the smart-contract. By the time he got to the smaller users, we cut him off.
— Whom does this affect in a big way?
I would say we’re quite lucky, because the individual person lost a thousand dollars, which in crypto can be used as a gas fee. So many people lost a little bit, so nobody lost a lot.
We will compensate everybody. We haven’t yet decided the compensation plan. It will be decided in the next two days and will be sent via e-mail.
First of all, it’s very important to say that every other contract on DAO Maker, does not have a private key, or it’s upgradable. And I made very sure of this.
So when you deposit DAO, to the vaults, we don’t have the ability, even if we wanted to, to pull out your money. I was always very clear on this. My developers wanted to make sure it doesn’t work, and it makes easy for us to upgrade the contract for a better user experience.
For example, one month ago, we switched between V1 and V2 vaults, and it took one month and was kind of a pain. Because everyone had to manually pull out their money. But this means that we don’t have any risk of a centralised wallet, or a multi-signature being compromised and all the DAO being stolen. Because if all the DAO being stolen, it’s much much worse then what happened today.
What happened today, was basicly the USDC getting stolen, so there was no price impacts of DAO at all. If a vault would be stolen. First of all, the individual user has a lot more money in the vault, usually they have more than $5k of DAO, and the Collective damage of DAO would have dumped on a market and would probably kill the company. This can never happen.
Additionally, the contracts of the vaults are forks of the most notable DeFi protocols, that just Synthetics, which have billions of dollars in them. So if you trust Synthetics, then you can trust the vaults. Meaning, as long as the entire industry doesn’t break apart, our vaults cannot break apart. Since, there is no centralized failure, like the SHO contracts.
The SHO contracts had this because the only other option was to everybody pay a transaction fee, for every single SHO they registered, which was not an option.
— Did this affect the ecosystem of DAO Maker?
That’s a good question. This will not affect the other users. The vaults cannot be affected, the vesting contracts cannot be affected. This is the only point of failure, and it was in a process of being improved. But before the improvement, it was compromised.
A Launchpad by design is just a website. Some launchpads are more complicated, some are less. But the only value of the launchpad is the network and the value adding services.
I would say, this hack increased our exposure a lot. Everybody is talking about us. So the total network of DAO, and the associate to DAO is going to be increased. So we think of it as a marketing event.
Going on DAO Maker is two things. You trusted that we are very diligent with our clients, which had no impact of the hack whatsoever. And the second is you can know that now more people know about DAO maker and the platform, then less. Once we have dealt with the individual investor, who has also lost a relatively low amount of money, and compensated them, I believe that this is actually a very net-positive for the company.
None of these things are affected by the hack. This is the main reason why these clients and quality-made companies come to DAO Maker. I believe that they will continue to come to DAO Maker, and this was unaffected. Therefore, this whole situation in a month from now, will be positive for the company.
— If hack affects the USDC wallets, can Circle froze the money and make those transactions non-valid?
It is the reason why the hacker have instantly swapped it into Ethereum. We’re going to reduce the individual maximum deposit level to $2500, which is going to make people less likely to hackers. Additionally, if there are any transactions over $3000, we will automatically notify USDC, which can be frozen as its real money. So in case of a hack, the money will be automatically frozen.
These are all the things that we have actually planned. So if this happened in a week, it probably wouldn’t have happened.
— Why the hackers are so active these days?
I think the main reason is the cross-chain bridges. Since they started to happen few months from now, most of the hacks happened. Most of the hacks that are happening at the moment are either on BSC, which is full of bad coders. We also had bull market recently, which means a lot of greedy people depositing money to a lot of badly written code, or bad key-management. It’s a mix of all these things, that have led to all these hacks.
Our case is essentially multiple people were compromised, before we had the ability to add more strict protocol to multi-signature storage.
— What you can say about Chainport Hack?
So the Chainport situation affected several people. About 150k DAO affected by it, which is not a lot, but we’re still in discussions with Chainport, that they will provide the money for this, and they are reliable for this. Regarding the several other companies, which were also affected, we’re very much working with these companies, to improve the price action. So this is for example, much worse case scenario than when the stablecoins get stolen. Because you will also have the price dump. Chainport had the system when they were building in a rush, and they did not introduce any multi-sig protocols, before they could go live, so once one key got exploited, or compromised, they were able to pull and withdraw most of the funds from the Chainport.
We will not be supporting any more centralized bridges for multiple coins. Because the risk is just too high. Once the IPAD bridge is done, and the final conversations with Chainport are also done, we will airdrop the corresponding DAO amounts to all the people who have BSC DAO tokens, and that will be a conclusion to all of this Chainport wrapping.
— Why CEO of 2key said that there was no hack?
I believe that he says that there was no hack, because the hack usually means that the code was exploited. But someone is just got into his computer and stole the key. We have nothing to do with this. This is another company building their own stuff. Just like any other client of DAO maker.
— What is the next of the recovery and is there any others products?
We’ve been growing extremely fast. Now we have a lot more active wallets and Synthetics. The main objective of the last two months was to improve the fundamentals of the company. The security of every aspect. In terms of legals. In terms of company set-ups and in terms of quality hiring.
We’ve hired a new CFO, which has helping us a lot. We introduced new multi-signature security protocols, these are also a custody provider. Furthermore, we’re in the process of moving all the locked DAO into the multiple insured cost-providers, so that we won’t have the overhead of all the DAO getting stolen. We’re doing the same for the vesting contracts for the clients.
The main majority process now is to keep business running, because it’s running very well. While insuring that everything is dealt in a more fundamental base, so that things don’t go wrong, as they did today. Moving forward once it’s done. We will have several products coming out, increasing the raises that we do. Increasing the product abilities that we are doing. Which will hopefully improve the Company as a whole.
But I don’t want to get into the details of what we’re going to build. Before the people who are affected today, are not compensated. So that we could first close the good chapter, before moving forward.
— How can I check if my account have been hacked?
Well, If you have less than $900 — you were not hacked. If you have more than $900 — you were hacked. Then you will see the deposit of $900 on daomaker.com in the portfolio section.