Build Finance DAO suffered a “hostile governance takeover” over the last few days and has lost around $470,000 in funds, according to an announcement today.
Over the last few days, an unknown person managed to use a large supply of tokens to vote through a proposal that gave them full control over the DAO’s treasury and its ability to mint tokens.
“As things stand, the attacker has full control of the governance contract, minting keys and treasury. The DAO no longer has control over any part of the key infrastructure,” said Urbane Grandier, a member of Build Finance’s core team, in its Discord server.
“It is with deep regret that we have to inform the community of this total and irrecoverable loss of BUILD DAO treasury assets through the deeds of one malicious actor,” they added.
What was Build Finance?
Build Finance was a self-described “decentralized venture builder” with the goal of incentivizing new projects by rewarding them with tokens. The idea was to fund projects with its native BUILD tokens and the projects would, in return, adopt BUILD tokens to grow demand for them.
The project started with 100,000 tokens and the community was able to mint more tokens to fund new projects.
The project was maintained by a DAO, a decentralized system where token holders vote on minting and allocating tokens. According to a tweet thread, they were able to also vote on the control of the token contract itself.
Over the last few months, the project had provided few updates. It appeared to be working on a website redesign and change to a new domain name. But its Discord members appeared unsatisfied.
“Hi team, an update would be appreciated. The lack of communication is concerning from a community perspective. I’m sure you are working hard behind the scenes but I think regular updates would be well received and appreciated by the community,” wrote one such member.
Yet despite this, the project was in control of a reasonably big amount of funds. As of August 2021, its treasury comprised six tokens including DAI, BUILD and METRIC. Its value at the time was $522,000.
The hostile takeover
On February 9, Build Finance moderator 0xSHA2 penned a message in the Discord server that said someone had made a proposal that, if passed, would let them mint tokens unilaterally. The moderator encouraged token holders to vote against the proposal.
According to the tweet thread, this proposal was made by a wallet named Suho.eth. This proposal failed.
Yet it seems the perpetrator sent their governance tokens to a separate wallet and tried again. This proposal, however, was not picked up by the Discord server’s bot (which would detect proposals and put them in a dedicated channel). This proposal appeared to go unnoticed and passed on February 10.
Per the thread, the perpetrator used their newfound control over the DAO and its token minting abilities to create 1.1 million BUILD tokens for themselves. They used them to drain the liquidity pools on two decentralized exchanges, Balancer and Uniswap. After this, they took a further 130,000 METRIC tokens from the project’s treasury, sold them, and minted a further 1 billion BUILD tokens.
In short, they ransacked everything they could.
Since then, the perpetrator has sent a significant amount of funds to Tornado Cash, a mixing service on the Ethereum blockchain. The funds transferred add up to around 160 ETH, suggesting they made away with around $470,000.
The aftermath
Following the takeover and firesale, Build Finance’s core team is now looking to find a way to survive.
“We would welcome a discussion in the discord with community members about the way to move forward from this but it is difficult to see a future for BUILD with only its brand recognition and IP assets, and no liquid treasury,” said Grandier.
As for trying to get the funds back, Grandier said the team had been in contact with the perpetrator but that there was little desire for dialogue and even less for the idea of making reparations.
Read full story on The Block