PeopleDAO loses $120,000 in Ethereum via Google Sheets exploit
On March 6, the PeopleDAO community, formed to acquire a rare copy of the U.S. Constitution, was subjected to a hacking attack. The loss amounted to 76.5 ETH ($120,000).
1/10
Bad news:
PeopleDAO Community Treasury on @safe has recently been exploited of 76 ETH (~$120,000) via social engineering during monthly reward payout on March 6th.
This expoloit is not related to $PEOPLE token contract.
Details below:— PeopleDAO (?, ?) (@The_PeopleDAO) March 11, 2023
According to findings, the PeopleDAO accounting team accidentally posted a link to a Google Sheet containing the monthly payout form on a public Discord channel. The document had edit rights enabled. An unknown person entered his wallet address and a payment amount of 76.5 ETH, after which he made that row invisible.
“The team leaders did not detect the hidden line during the recheck. Then the file with the data from the table was sent to Safe’s CSV Airdrop tool for distributing the reward. Validators also did not notice the malicious transfer,” explained the PeopleDAO team.
5/10
Because there are 80 transfers in the tx, 6 out of 9 multisig signers did not notice the malicious transfer, signed and executed the tx, sending 76 ETH to the hacker’s address.
Txhash: https://t.co/NUGnRDS5xd
Hacker address: 0x80f751a95f678255cae9a280d4f25e5b926eae366 pic.twitter.com/OM3XGp4b5W— PeopleDAO (?, ?) (@The_PeopleDAO) March 11, 2023
Subsequently, the hacker moved 69.2 ETH to the HitBTC exchange and 7.3 ETH to Binance. Both trading platforms, along with law enforcement agencies, were notified of the incident.
![\"У](\"https://lh5.googleusercontent.com/Q3S9tdY_efr9FZrNJ4qeali17OHAh6nWUziKYqRKNtWQdqdkAabNwMoGksnPxA4-yrqJ6Jz5Ok4gTBSZAv0Fr1kQc8eG0X9IipmM7_IlLA3_yPSw26AvwALH_557qW4DUIE_-WnnlDvqO_9nC9R1NLg\")
PeopleDAO is also conducting an internal investigation with blockchain security experts ZachXBT and SlowMist. The community offered the hacker a bounty of 10% of the stolen amount for the return of funds. As of writing, he had not responded to the offer.
Separately, the team will work on improving bookkeeping and training validators in multi-signature operations.
Earlier ForkLog reported that the DeFi protocol Euler Finance was hacked by more than $196 million.
Рассылки ForkLog: держите руку на пульсе биткоин-индустрии!