In what seemed to be a hostile takeover of the governance of the Build Finance DAO, the attacker was able to drain the funds of the DAO. But calling this incident an attack is a matter of definition; the attacker, while obviously not playing along the intents and purposes of the DAO, did not break any rules. The DAO was, after all, abiding by the principle of “code is law”.
The Build Finance DAO is a decentralized autonomous venture builder, owned and controlled by the community. Build Finance produces, funds, and manages community-owned DeFi products. The DAO engages in identifying business ideas, organizing teams, sourcing capital, helping govern the product entities, and providing shared services. In other words, the Build Finance DAO is a DAO providing services to other DAOs.
Total takeover of the DAO treasury
According to a tweet thread posted by the BuildFinance Twitter account, the governance of the DAO was taken over by a malicious actor who put forward and succeeded to push through a governance proposal to take control of the BUILD token contract.
“The attacker succeeded in the takeover by having a large enough vote in favor of the proposal and there were not enough countervotes to prevent the takeover from happening,” the tweet reads.
Apparently, this incident wasn’t even the first try; a previous attempt at a malicious takeover failed, as it seems because the attacker lacked proper funding. The attacker, displaying the ENS domain Suho.eth, according to the tweet, proceeded to top up and tried again, this time with success.
“As things stand, the attacker has full control of the governance contract, minting keys and treasury. The DAO no longer has control over any part of the key infrastructure. Do not buy BUILD tokens on any platform,” the tweet reads.
Drained the Balancer and Uniswap liquidity pools
As per the announcement, the attacker was able to successfully access the DAO treasury due to the structure of the Build DAO governance model; as it seems the attacker simply managed to corral enough governance tokens to grab power, and the DAO doesn’t seem to have put mechanisms in place to defend the treasury against such a power grab.
Once the attacker had the power, he minted 1,107,600 BUILD ($1.7 million) in three transactions and drained the majority of the funds in the liquidity pools on the Balancer and Uniswap DEXs. The attacker then took control of the Balancer pools via the governance contract and drained the remaining funds, including 130,000 METRIC tokens, and tried to sell these tokens wherever there was any liquidity, causing intense sell pressure on the assets.
Graph showing price drop of BUILD token.
As a result of the incident, the market value of the BUILD token dropped from around $1.5 just before the attack, to essentially zero at the moment of writing. The METRIC token, however, seems to have made it through the incident pretty unscaved, in fact the price of METRIC is up almost 80% the past 24 hours.
“It is difficult to see a future for BUILD”
According to the BuildFinanace tweet, the attacker does not have control of any parts of the METRIC token or the Metric Exchange infrastructure, with a caveat: the supply shock might have caused a large change in the distribution of METRIC token and it’s still possible that a percentage of these tokens may be under control of heretofore unidentified bad actors.
“It is with deep regret that we have to inform the community of this total and irrecoverable loss of BUILD DAO treasury assets through the deeds of one malicious actor.”
According to the tweet, Build Finance team members have made direct contact with the attacker “but there seems to be no appetite for a dialogue, much less any reparations.”
“It is difficult to see a future for BUILD with only its brand recognition and IP assets, and no liquid treasury.”
Build Finance DAO hostile takeover, treasury drained CryptoSlate.
