An unknown attacker has stolen $2.3 million in tokens from a decentralized autonomous organization called FriesDAO. This comes amid a flurry of hacks and exploits this month, as October looks set to be a particularly bad month for crypto projects.
The exploit resulted from the hacker gaining control of FriesDAO’s “deployer wallet” and transferring out a large amount of FRIES, the project’s governance tokens, into their control. The perpetrator also drained other tokens from a staking pool, leveraging their access to the deployer wallet. The stolen tokens were sold off for $2.3 million of stablecoins held in the hacker’s address, security firm CertiK estimated.
“It has come to our attention that the refund deployer contract was exploited and managed to obtain FRIES tokens which were subsequently refunded for USDC and sold into the Uniswap pool,” said FriesDAO, while notifying users of the hack.
FriesDAO’s deployer wallet was generated using Profanity, a wallet-generator tool that’s known to contain a critical vulnerability. Last month, security analysts at 1inch found that private keys of vanity addresses generated via Profanity could be calculated by malicious hackers to steal funds. After 1inch’s disclosure, the vulnerability was exploited by hackers to steal $160 million in crypto assets from market making firm Wintermute.
FriesDAO had also relied on Profanity to generate their deployer wallet address. Due to the vulnerability, the hacker extracted the wallet’s private key to move funds out, according to CertiK. The security firm told The Block in a statement that the FriesDAO exploit could have been avoided had the team been more diligent and replaced the deployer’s address in time.
“This attack was preventable, as the Profanity vulnerability has been public knowledge for over a month,” the spokesperson said. “CertiK calls on all Web3 projects which have used the Profanity tool to immediately transfer control of any assets held in affected wallets to securely-generated addresses.”