FriesDAO hacked for $2.3 million in latest Profanity exploit

Quick Take

  • FriesDAO wallet was hacked for $2.3 million exploit, according to security firm CertiK.
  • The DAO’s deployer wallet was generated with an insecure tool called Profanity.
 

An unknown attacker has stolen $2.3 million in tokens from a decentralized autonomous organization called FriesDAO. This comes amid a flurry of hacks and exploits this month, as October looks set to be a particularly bad month for crypto projects.

The exploit resulted from the hacker gaining control of FriesDAO’s "deployer wallet" and transferring out a large amount of FRIES, the project’s governance tokens, into their control. The perpetrator also drained other tokens from a staking pool, leveraging their access to the deployer wallet. The stolen tokens were sold off for $2.3 million of stablecoins held in the hacker's address, security firm CertiK estimated. 

“It has come to our attention that the refund deployer contract was exploited and managed to obtain FRIES tokens which were subsequently refunded for USDC and sold into the Uniswap pool," said FriesDAO, while notifying users of the hack.

FriesDAO's deployer wallet was generated using Profanity, a wallet-generator tool that’s known to contain a critical vulnerability. Last month, security analysts at 1inch found that private keys of vanity addresses generated via Profanity could be calculated by malicious hackers to steal funds. After 1inch’s disclosure, the vulnerability was exploited by hackers to steal $160 million in crypto assets from market making firm Wintermute.

THE SCOOP

Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

FriesDAO had also relied on Profanity to generate their deployer wallet address. Due to the vulnerability, the hacker extracted the wallet's private key to move funds out, according to CertiK. The security firm told The Block in a statement that the FriesDAO exploit could have been avoided had the team been more diligent and replaced the deployer's address in time.

“This attack was preventable, as the Profanity vulnerability has been public knowledge for over a month,” the spokesperson said. “CertiK calls on all Web3 projects which have used the Profanity tool to immediately transfer control of any assets held in affected wallets to securely-generated addresses.”

 

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Vishal Chawla is The Block’s crypto ecosystems editor and has spent over six years covering tech protocols, cybersecurity, artificial intelligence and cloud computing. Vishal likes to delve deep into blockchain intricacies to ensure readers are well-informed about the continuously evolving crypto landscape. He is also a staunch advocate for rigorous security practices in the space. Before joining The Block, Vishal held positions at IDG ComputerWorld, CIO, and Crypto Briefing. He can be reached on Twitter at @vishal4c and via email at [email protected]

Editor

To contact the editor of this story:
Tim Copeland at
[email protected]