A governance breakdown at Synthetify, a Solana-based decentralized exchange (DEX), led to the loss of almost $230,000 worth of cryptocurrency. The decentralized autonomous organization (DAO) of the protocol was abused by the attacker, who made and cast votes for their own proposals. The money had already been transferred to Tornado Cash before other DAO participants could realize there was a problem.
Following the collapse of FTX in late 2021, Synthetify incurred debt and declared plans to restructure in April. Due to the DAO’s lack of activity, the attacker created ten proposals that were visually identical and used their own tokens to acquire the required number of votes. According to security auditing company Neodyme, ten of the proposals were empty, while the code in the other nine delivered about $230,000 in USDC, mSOL, and stSOL to the attacker’s address. The DAO still has $89,669 in its bank account.
This incident brings to light the dangers that DAOs that try to stop malevolent actors may encounter. In the past, attackers have used flash loans to take advantage of DAO treasuries, borrowing significant sums of governance tokens to pass damaging proposals. The COO of DeXe, a company that offers DAO infrastructure, Serhii Kravchenko, proposed that DAOs improve their communication systems for the proposal-making process and spend more money on financial incentives to boost member engagement.
Anatoly Yakovenko, a co-founder of Solana, also offered his opinion on the subject, arguing that DAOs ought to have veto councils that could stop token voting-related attacks. In order to guarantee that council members are alert to potential threats, he emphasised the value of paying them. Decentralised governance systems might experience difficulties and weaknesses, as the Synthetify exploit offers as a reminder.