In a startling revelation for the decentralized autonomous organization (DAO) community, Samudai, a blockchain project, has experienced a significant security breach. The DAO’s multisig wallets, including the personal wallet of its founder, Kushagra Agrawal, were compromised, leading to the loss of $1.25 million in funds.
The exploit was initially flagged by onlookers observing a suspicious deposit into Tornado Cash, a popular cryptocurrency mixer that obfuscates the origins of transactions to preserve privacy. This deposit of a substantial sum raised concerns, which were later confirmed by the Samudai team.
Investigation into the Incident
Upon investigation, it was found that both of the project’s multisig addresses, as well as Kushagra Agrawal’s address, had been targeted by the attacker. Multisig wallets typically require multiple signatories to confirm transactions, adding an extra layer of security. However, in this case, the attacker managed to bypass these measures and gain control of the wallets.
The stolen assets were quickly converted into Ethereum (ETH) and subsequently deposited into Tornado Cash, making it challenging to trace the funds due to the anonymizing nature of the service. Additionally, 21 ETH, roughly valued at $54,000 at the time of the event, was transferred to an exchange, likely in an attempt to cash out on the ill-gotten gains.
Samudai XYZ’s Response
In response to the breach, Kushagra Agrawal, the founder of Samudai, took to the blockchain to issue an on-chain message. The message addressed the perpetrator(s) of the exploit, offering a 10% bounty if the stolen funds were returned. The DAO proposed that by accepting the offer and returning 90% of the stolen assets, the hackers would face no further pursuit or law enforcement actions.
The founder’s message set a deadline for the voluntary return of the funds, indicating that if the offer was not taken up by November 13 at 0800 UTC, the bounty would be opened to the public. In this scenario, the full 10% would be offered to any individual who could identify the hacker in a manner leading to a legal conviction.
The on-chain message also specified a contact email, [email protected], for the hackers to initiate the negotiation process. It was made clear that any parties contacting the team would need to verify ownership of their address on-chain before any discussions could take place.
Implications for the DAO and DeFi Community
This incident has once again highlighted the vulnerabilities present in the decentralized finance (DeFi) ecosystem. Despite the advanced security measures in place, such as multisig wallets, the DAO community continues to face challenges in safeguarding their assets from sophisticated attacks.
Samudai’s approach to resolving the situation by offering a bounty is a novel one, potentially setting a precedent for how projects might handle similar situations in the future. Whether this strategy will lead to the recovery of the stolen funds remains to be seen.
The broader DeFi community will undoubtedly be watching closely, not only for the outcome of this particular situation but also for the lessons to be learned in improving security measures and response strategies for DAOs and other blockchain-based projects.