HectorDAO Investors Demand Control Over Remaining Assets Amid Silence Following $2.7M Hack
Summary:
HectorDAO investors are demanding control over the protocol's remaining funds following a $2.7 million hack in January and subsequent halt in communications from the core team. The hack exploited a "centralization" risk tied to the "addEligibleWallet" function, which had previously been warned about by blockchain security firm CertiK. The incident happened when the HectorDAO team planned to dissolve the organization and return assets to investors. Since the hack, investors have considered legal action amid failed attempts to reach the team while the investigation into the hack continues.
The patrons of HectorDAO, a decentralized autonomous organization on the Fantom network, are calling for oversight of the remaining funds of the organization. This follows silence from the core team after a recent hack on January 16, where $2.7 million in assets were lost. A key stakeholder of HectorDAO, requesting anonymity, informed Cointelegraph that the communication between the HectorDAO team and its users was discontinued on January 19. They specified that as of September 2023 all social media channels of the project were silenced, although communication was possible until earlier in January via the Google Group email of the team, which is now reportedly removed.
The hack rendered the situation more severe as it happened when the organization was planning to terminate its operation and return assets to the investors. Supposedly, HectorDAO ignored prior security warnings. According to information from blockchain security firm CertiK, HectorDAO turned a blind eye towards the advice proposed to fend off the risk due to the operational function "addEligibleWallet”. This function was the main loophole exploited by the hackers. CertiK's investigation reveals that this function could be initiated by any account having moderator authority.
Contrarily, HectorDAO disputes the claims, stating that they had a collaboration with CertiK for a comprehensive evaluation of the contract's security, and their assets were securely confined to a Redemption Vault before the start of the claim process. An analysis of the blockchain points that the attacker had access to the team's account, suggesting the hack was either an inside play or the result of compromised private keys. The last known correspondence from the development team to investors was made on January 18, after which no further communication was made.
HectorDAO traces back to 2021, where the early investors were provided the opportunity of acquiring HectorDAO's token, HEC, at a discounted rate via DAO bonds. The funds collected from this method were retained in the treasury of DAO, where virtually, each token was a representation of partial ownership of the treasury, promising yield for the token holders. At its peak, the treasury of HectorDAO maintained more than $100 million in virtual assets.
However, the circumstances started to go south with summer's crypto winter. By May 1, 2023, the price of HEC had plunged to nearly 1% of its initial value as per data from CoinMarketCap. Alongside the price fall, the value of the treasury in HectorDAO also declined. Matters got worse when the hack on the Multichain bridge caused losses of around $8 million for HectorDAO in July 2023, which affected some of its treasury assets, resulting in the depeging from their Ethereum collateral. Following this incident, the investors of HectorDAO decided to dissolve the organization and return the funds to its users. However, at the moment of the decision, a majority of the $16 million in the treasury was yet to be delivered to the investors by January 2024.
On January 15, the HectorDAO team planned to finalize the delivery of the treasury funds, but an ill-intentioned account transferred $2.7 million to itself by depositing a mere 0.0001 HEC. After this event, the redemption platform was shut down by the team, and all remaining assets were transferred back to the treasury contract, suspending further redemptions.
On January 18, HectorDAO announced the hacking of the redemption platform and claimed to actively investigate it while promising future updates. But after the announcement of the hack, irate token holders blamed the development team for the hack, arguing that it was either the handiwork of a disgruntled developer or the result of a compromised private key.
Lilbagscientist, a blockchain analyst, published a meticulous report on the attack. The analyst used data from Etherscan to highlight that the preparations for the attack started a month ago, on December 16, 2023. The attacker deployed 0.0001 HEC, which remained in the account until January 15. It was observed that between 3:14 am and 4:19 am on January 15, sixteen transactions occurred where funds were moved to the Hector Redemption Treasury contract. At 5:59 am on January 15, the attacker enacted a transaction that allowed the Redemption Contract to send $2.7 million in USDC to the attacker.
As of January 18, the last known update from HectorDAO was that the redemption process was temporarily suspended. Meanwhile, some of the HectorDAO investors warned of legal action after several unsuccessful attempts to contact the HectorDAO team. There were promises to reimburse the investors by March as the procedure to dissolve the DAO continues. At the time of publishing, it was not possible to get a response from the HectorDAO team.
Published At
2/13/2024 6:00:00 PM
Disclaimer: Algoine does not endorse any content or product on this page. Readers should conduct their own research before taking any actions related to the asset, company, or any information in this article and assume full responsibility for their decisions. This article should not be considered as investment advice. Our news is prepared with AI support.
Do you suspect this content may be misleading, incomplete, or inappropriate in any way, requiring modification or removal?
We appreciate your report.