SolidityScan
HACK ANALYSIS 2 min read

PeopleDAO Community Hack — Invisible hacker

PeopleDAO Community Hack — Invisible hacker

Overview:

The Google sheet used to award monthly users based on their contributions to the community was compromised, causing a loss of $120,000. On March 6, 2023, the PeopleDAO community stated that they had been abused and their treasure stored on Safe Platform had been taken.

Smart Contract Hack Overview:

Attacker’s Transaction

Decoding the Smart Contract Vulnerability

  • The attack happened because the accounting lead published a link to a Google form on a discord channel that was accidentally left accessible to the public and used to gather user addresses to send prizes depending on their contributions to the community.
  • When the signers signed transactions by exporting the data from CSV on a secure platform to distribute rewards, the attacker then added their own address of 76 ETH in a hidden format to the Excel sheet. When 6 out of 9 signers failed to notice the malicious address added by the attacker previously, 76 ETH were transferred from PeopleDAO’s treasury account, which led to a loss of $120,000.
  • Thereafter, HitBTC and Binance both received deposits of the stolen money. The team reported the fraud to the FBI and FTC for additional investigation and funds recovery.

Mitigation and Best Practices:

  • Tightly regulate who has access to the accounting sheet.
  • Before signing, multi-sig signers should double-check all the information.
  • Employ an improved user interface on @safe to display the transaction’s gross value, such as the total amount of $ETH and $PEOPLE transmitted.
  • Always adhere to the least privilege access control approach and the zero-trust policy.

Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detection at SolidityScan including access control vulnerabilities.

SolidityScan — Smart Contract Vulnerability Scanner

Conclusion:

SolidityScan is an advanced smart-contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup

Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord

Jump & Oasis Crypto Counter-Exploit Hack Analysis
Euler Finance Hack Analysis — Flash loan attack