PeopleDAO Community Vault Hacked for $120k

PeopleDAO Community Vault Hacked for $120k

On March 12, PeopleDAO tweets showed that when PeopleDAO’s community vault on the digital asset management platform Safe (formerly Gnosis Safe) issued a monthly contributor award on March 6, it was stolen 76 ETHs (about $120000) by hackers through social engineering attacks. This event has nothing to do with the PEOPLE token contract. PeopleDAO collects monthly contributor reward information through Google Form. The accounting principal mistakenly shared a link with editing rights in the public channel of Discord. After the hacker obtained editing rights through the link, he inserted a payment of 76 ETHs to his address in the form and set it as invisible. Due to the malicious concealment, the team leader did not find it during the review. After downloading the csv file with insertef data, it was submitted to Safe’s CSV Airdrop tool for reward distribution. Since there were 80 transfers in the transaction, 6 of the 9 multi-signature accounts did not notice the malicious transfer. After signing and executing the transaction, 76 ETHs were transferred to the hacker address.

PeopleDAO multi-signature wallet was attacked and 76 ETHs were lost

Analysis based on this information:


PeopleDAO, a collective of decentralized autonomous organizations (DAOs), experienced a significant setback when their community vault on the digital asset management platform, Safe, was hacked on March 6. The attack resulted in the loss of 76 ETHs, worth roughly $120,000, and was carried out using social engineering techniques.

The hackers gained access to the monthly contributor award information collected by PeopleDAO through a Google Form, which was mistakenly shared by an accounting principal in a public channel of Discord. Once the hacker obtained editing rights through the link, they inserted a payment of 76 ETHs to their address in the form and set it as invisible. Due to the malicious concealment, the team leader did not detect it during the review process.

Later, after downloading the CSV file with the inserted data, it was submitted to Safe’s CSV Airdrop tool for reward distribution. Since there were 80 transfers in the transaction, 6 of the 9 multi-signature accounts did not notice the malicious transfer. After signing and executing the transaction, 76 ETHs were transferred to the hacker’s address.

It is worth noting that this event had nothing to do with the PEOPLE token contract. PeopleDAO collects monthly contributor reward information through Google Form, and the vulnerability was rooted in the accounting error rather than the blockchain system. PeopleDAO is a community-driven organization that is determined to explore the potential of DAOs and promote DAO-to-DAO communication.

The incident highlights the flaws in the human aspect of the operation of DAOs. Despite the hype around blockchain technology and decentralization, the security measures are only as strong as the weakest link in the system. In this case, the vulnerable link was an accounting principal’s mistake in sharing the Google Form link with editing rights in a public channel. Social engineering attacks are a common threat to blockchain entities, and strict security protocols, training, and thorough review processes are essential to prevent them.

In conclusion, the PeopleDAO community vault hack is a grave reminder that the security of blockchain systems is dependent on human factors. This incident has emphasized the need for strict adherence to security protocols, mindfulness regarding sharing sensitive information, and the importance of auditing, review processes, and ongoing training. The vigilant pursuit of security measures is essential to safeguard the integrity of DAOs and blockchain systems.

Word count: 399

This article and pictures are from the Internet and do not represent Fpips's position. If you infringe, please contact us to delete:https://www.fpips.com/7941/

It is strongly recommended that you study, review, analyze and verify the content independently, use the relevant data and content carefully, and bear all risks arising therefrom.