【Intelligence of SlowMist Zone】 DAO Maker’s vesting system was hacked.

DeRace Token (DERC), Coinspaid (CPD), Capsule Coin (CAPS), Showcase Token (SHO) all use Dao Maker’s vesting system, and the DAO Maker vesting contract is attacked when the holder is issued (DERC) in DAO Maker , i.e. there is a vulnerability in the vesting system of DERC vesting contract participants: Init Initialization was unauthenticated, the attacker initialized the key parameters of init, and changed the owner at the same time, and then stole the token through emergencyExit and swap it into DAI. The attacker finally made a profit of nearly $4 million .

Hackers took advantage of the vulnerability in the vesting contract to emergencyExit the tokens in the vesting contract. The following is a brief analysis:

Implementation of vesting contract contract 0xf17ca0e0f24a5fa27944275fa0cedec24fbf8ee2 decompiled get the following information:

1. The init function in the vesting contract (function signature: 0x84304ad7) does not authenticate the caller, and the hacker becomes the owner of the vesting contract by calling the init function.

2. The Owner can call the emergencyExit function in the vesting contract to make emergency withdrawals.

Related contract address:
Take DERC as an example:
Vesting agency contract:
0x2fd602ed1f8cb6deaba9bedd560ffe772eb85940
0xdd571023d95ff6ce5716bf112ccb752e86212167

Vesting implementation contract:
0xf17ca0e0f24a5fa27944275fa0cedec24fbf8ee2

Hacker address:
0x2708cace7b42302af26f1ab896111d87faeff92f

— — — — — — — — — — — — — — — — — — — — —

In the same way it attacked other vesting contracts, transferring the following tokens:
DeRace Token (DERC): 0x9fa69536d1cda4a04cfb50688294de75b505a9ae
Coinspaid (CPD): 0x9b31bb425d8263fa1b8b9d090b83cf0c31665355
Capsule Coin (CAPS): 0x03be5c903c727ee2c8c4e9bc0acc860cca4715e2
Showcase Token (SHO): 0xcc0014ccb39f6e86b1be0f17859a783b6722722f

--

--

--

Focuses on Blockchain Ecosystem Security, have served over 1k+ customers.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

New Defi Listing: Klever (KLV)

How to explain BRO programming to My mom?

Digital Destruction of Human Rights

TryHackMe: [Day 23] Blue Teaming PowershELlF Magic

What is Penetration Testing or Ethical Hacking?

White Hat vs Black Hat vs. Gray Hat

Bonded ATS tokens with Socean Streams

What Impact do IoT-Based Mobile Apps Have in Enhancing User Experience

{UPDATE} Stickman:Street Football Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
SlowMist

SlowMist

Focuses on Blockchain Ecosystem Security, have served over 1k+ customers.

More from Medium

DeFi Security Lecture 5-Overflow and Underflow Vulnerability

Securing Protocols During Development- From a High Level Invariant to a Pool-Draining Vulnerability

Dopple Finance’s $KUSD and Synthetic Assets Manual Minting Analysis

Tornado.Cash Deployment Proposal On Arbitrum