FriesDAO was attacked today and lost approximately $2.3 million after attackers gained control of the protocol operator’s wallet. It appears to be due to a bug in the Profanity wallet generator that forced the use of private keys for addresses generated through the tool.
- After gaining access to the operator’s wallet, the attacker withdraws $FRIES from the DAO’s funding wallet and sells it on Uniswap for wETH.
- The attacker withdraws funds from the staking pool using the function governmentRecoverUnsupported() which can only be called by the operator address.
- The attacker eventually converts all funds into DAI. As of this writing, the wallet storing the stolen funds is worth about $2.325 million. FriesDAO confirmed the attack in the official Discord channel, stating that the wallet address was indeed generated with Profanity.
The official developers are currently trying to negotiate with the attackers to negotiate a white hat bounty in exchange for the return of the stolen funds. The attack could have been prevented because the Profanity vulnerability, which was responsible for more than $160 million in the theft of market maker Wintermute, has been public for more than a month. CertiK calls on all Web 3.0 projects that have used Profanity tools to immediately transfer control of all assets in affected wallets to securely generated addresses.