PeopleDAO Vault Hacked: Social Engineering Attack Steals $120,000 in ETH

03/12/2023 06:31 • Metaverse Matters • 127 views

On March 12, PeopleDAO tweets showed that when PeopleDAO’s community vault on the digital asset management platform Safe (formerly Gnosis Safe) issued a monthly contributor award on March 6, it was stolen 76 ETHs (about $120000) by hackers through social engineering attacks. This event has nothing to do with the PEOPLE token contract. PeopleDAO collects monthly contributor reward information through Google Form. The accounting principal mistakenly shared a link with editing rights in the public channel of Discord. After the hacker obtained editing rights through the link, he inserted a payment of 76 ETHs to his address in the form and set it as invisible. Due to the malicious concealment, the team leader did not find it during the review. After downloading the csv file with insertef data, it was submitted to Safe’s CSV Airdrop tool for reward distribution. Since there were 80 transfers in the transaction, 6 of the 9 multi-signature accounts did not notice the malicious transfer. After signing and executing the transaction, 76 ETHs were transferred to the hacker address.

PeopleDAO multi-signature wallet was attacked and 76 ETHs were lost

Analysis based on this information:

On March 6, PeopleDAO’s community vault on the Safe platform issued its monthly contributor award, only for it to be stolen by hackers a few days later. The stolen amount was 76 ETHs, which is roughly equivalent to $120,000. The theft was carried out through social engineering attacks, which exploited vulnerabilities in the accounting system of PeopleDAO.

It is important to note that this event had nothing to do with the PEOPLE token contract. Instead, PeopleDAO collects monthly contributor reward information through Google Form. However, the accounting principal involved mistakenly shared a link with editing rights in the public channel of Discord. This allowed the hacker to obtain editing rights through the link and insert a payment of 76 ETHs to their address in the form, setting it as invisible. Due to the malicious concealment, the team leader did not notice it during the review.

After downloading the csv file with inserted data, it was submitted to Safe’s CSV Airdrop tool for reward distribution. However, since there were 80 transfers in the transaction, 6 of the 9 multi-signature accounts did not notice the malicious transfer. After signing and executing the transaction, 76 ETHs were transferred to the hacker’s address.

This incident underscores the importance of having robust security measures in place when dealing with digital assets. Even seemingly minor lapses, such as mistakenly sharing a link with editing rights, can lead to significant losses.

In conclusion, the PeopleDAO community vault theft is a cautionary tale for other digital asset management platforms and their users, as it highlights the vulnerabilities of the accounting systems used in many decentralized organizations. It is crucial to be proactive in assessing security risks, as well as to remain vigilant against social engineering attacks. By taking these measures, users of decentralized organizations can better protect themselves and their digital assets.

This article and pictures are from the Internet and do not represent SipPop's position. If you infringe, please contact us to delete:https://www.sippop.com/6623.htm

It is strongly recommended that you study, review, analyze and verify the content independently, use the relevant data and content carefully, and bear all risks arising therefrom.

PeopleDAO Vault Hacked: Social Engineering Attack Steals $120,000 in ETH

PeopleDAO multi-signature wallet was attacked and 76 ETHs were lost

Related recommendations