This article is more than nine months old

Hackers exploit smart contract to raid AzukiDAO airdrop

Hackers exploit smart contract to raid AzukiDAO airdrop
AzukiDAO airdrop contract exploited for 35 ETH.
  • AzukiDAO’s token contract was exploited with the attackers syphoning $68,000 worth of Ether.
  • The attack came amidst a governance token airdrop by the DAO.
  • The community is not officially endorsed by Azuki, but wants to force its founder to return $38 million to NFT holders.

In the latest instance of a compromised airdrop, hackers hit AzukiDAO’s distribution of tokens to holders of the Anime-themed Azuki NFTs, according to a report by blockchain security firm BlockSec’s analytics tool MetaSleuth on Monday.

The hack came barely hours after the unofficial AzukiDAO was set up on Friday. While the attackers made off with just $68,000, the episode demonstrates how vulnerable airdrops are to heists.

In this case the attackers exploited a vulnerability in the smart contract of the DAO’s governance token BEAN, which was being claimed as an airdrop by interested Azuki NFT holders.

BEAN token ownership gives owners voting rights within the DAO. Each Azuki NFT owner can claim BEAN tokens worth about $390 to gain governance access.

The vulnerability took advantage of the smart contract’s inability to guard against replay attacks. The smart contract failed to check whether eligible claimants had already interacted with the code to claim their allocated airdrop.

“This allowed attackers to claim rewards multiple times using the same input variables, even if the reward had already been claimed before,” a MetaSleuth researcher told DL News.

“So far, we have identified two attackers who exploited the vulnerability,” the researcher said. One of the attackers profited $67,000 from the exploit.

NOW READ: Bored Ape fans blame Blur for falling NFT prices

Join the community to get our latest stories and updates

The AzukiDAO developers have paused the token claim contract and the DAO is currently voting on what to do with the remaining unclaimed tokens. The team did not immediately respond to DL News’ requests for comments.

The AzukiDAO founders say they are “a dedicated group of Azuki enthusiasts” who believe the project should be “community-driven.” They expressed dissatisfaction with the actions of the project team, especially the pseudonymous Azuki NFT founder Zagabond.

Last weekend, DAO members voted to force Zagabond to relinquish the $38 million realised from last week’s Elementals NFT mint. They also plan to hire a lawyer to help with a possible legal tussle with Zagabond for control of the Azuki brand.

The Elementals NFT mint stirred up considerable controversy with criticism aimed at the project team for diluting the value of the Azuki collection. Some sections of its community also panned the lack of originality in the art.

Azuki’s floor price — the lowest listed price of an Azuki NFT — has suffered in the wake of these events, plunging 59% in the last seven days, DefiLlama data shows. This drop is part of a larger decline in the NFT market with other “bluechip” collections also posting double-digit declines in the last week.

To share tips or information about DAO governance please contact the author at osato@dlnews.com.

Related Topics