DAO Maker: Reinitializable init() function + emergencyExit() drain on token vesting contracts
DAO Maker was exploited for $4M when its token vesting contracts allowed anyone to call `init()` a second time — resetting ownership to the attacker and enabling `emergencyExit()` to drain all funds.
Summary #
DAO Maker suffered a IDO Launchpad / Token Vesting on 2021-09-04, resulting in a loss of approximately $4M.
What happened #
DAO Maker was exploited for $4M when its token vesting contracts allowed anyone to call `init()` a second time — resetting ownership to the attacker and enabling `emergencyExit()` to drain all funds.
Linked factors #
- RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Disputed; likely unaudited or audit scope did not cover the specific vesting contracts]
- RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: None identified]
- RD-F-077 — causal : Prior exploit count [via cross-hack: Factor 5: Second Exploit on Same Protocol]
- RD-F-078 — causal : Chronic flag (≥3 prior exploits) [via cross-hack: Factor 5: Second Exploit on Same Protocol]
- RD-F-079 — causal : Same-root-cause repeat exploit [via cross-hack: Factor 5: Second Exploit on Same Protocol]