PeopleDAO hacked for 76.5ETH in the most comically bad way
Some hacking requires very complex algorithms, brute force attacks, and the ability to overcome audited blockchain security. This one required none of that. Instead, the hacker social engineered PeopleDAO thanks to their incredibly lax security and total lack of foresight.
Unbelievably, PeopleDAO used a Google Sheet to handle automatic payrolls. Even more shockingly, an admin posted a link to the payroll sheet into a public Discord with edit access.
All the hacker had to do was insert their own address with a payment due of 76.5ETH — and then make that info invisible. So the humans looking at the payroll sheet wouldn’t notice anything was wrong but the automatic payment distribution went ahead and paid the hacker for “services rendered.”
Hacks substituting hacker addresses for others to get paid are nothing new. But to do so in a Google sheet is making it almost too easy for the hacker.
Why does PeopleDAO sound so familiar?
You may remember them better as ConstitutionDAO, formed in November 2021 to purchase a rare original copy of the U.S. Constitution. They came very close, raising $41 million from over 17,000 members… only to be outbid by a billionaire. Why did it fail? Basically, ConstitutionDAO committed one of the seven deadly sins: hubris. The DAO disclosed its maximum bid, allowing the billionaire to bid slightly higher and snatch the victory out of the hands of “the people” right as even Coindesk (erroneously) published that they won.
ConstitutionDAO failed in another way: they had no clear mechanism to unwind the individual contributions, causing massive gas losses in the process. A single-purpose DAO should be mindful of all the costs associated with both succeeding and failing in its singular mission. Now with perhaps the dumbest exploit in crypto history, PeopleDAO really needs to rethink its human factor.
Is there a better way?
tl;dr — yes! For starters, there are much more secure tools for DAO payroll processing than Google Sheets and certainly better ways to manage payroll than by posting a link on Discord. In DeXe’s DAO builder, payroll is done via proposals and voting — like all DAO governance is meant to be done.
There is also no need to create a DAO chaotically when there are turn-key DAO creation platforms available. When designing ours, we focused on non-technical people being able to create a DAO with a few clicks, no coding required. Same with integrations: there are various crypto tools to collect and spend money together, including at auctions. In our case, integration with any other DeFi protocol is done automatically via smart contracts once the community proposes and votes for it.
PeopleDAO’s problems are not new to crypto: using free basic tools and getting caught with pants down happens just as much in Web2. But the DAO framework has all the tools to avoid such unnecessary losses, often with just a few clicks.
So the next time The People are forming a DAO, they’d be wise to use a proper DAO creator to avoid disappointing the constituency.
Website | Telegram channel | Telegram chat | Facebook | Medium| LinkedIn | Twitter | Reddit| Discord