Investors of the Hector decentralized autonomous organization, HectorDAO, on the Fantom network are demanding control of the protocol’s remaining funds after the tea allegedly halted all communications following a Jan. 16 hack that led to $2.7 million in losses.
In a conversation with Cointelegraph, a HectorDAO investor who wishes to remain anonymous stated that the HectorDAO team stopped communicating with its community on Jan. 19. According to the source, all project social channels were muted in September 2023.
At that time, the HectorDAO team still allowed contact through a Google Group email address. However, the DAO allegedly deleted this group sometime before Jan. 19.
To make matters worse, the hack occurred just as the protocol planned to dissolve itself and return assets to investors. Prior security warnings were allegedly ignored.
According to blockchain security firm CertiK, its researchers informed the HectorDAO team of the “centralization” risk posed by the “addEligibleWallet” function, the root cause of the exploit, and recommended steps to mitigate this risk.
The HectorDAO team allegedly chose not to implement the recommended changes for unknown reasons. CertiK referred Cointelegraph to its official audit report, which stated that the function could be called by any account with moderator privileges.
HectorDAO tells a different version of the story, claiming that the protocol engaged with CertiK to conduct a thorough smart contract security analysis and that, contrary to CertiK’s statement, “all assets were secured in a Redemption Vault prior to the launch of the production claim process.”
Blockchain analysis has since shown that the attacker allegedly had access to the team’s deployer account, implying that the exploit was either an inside job or the result of a private key compromise. The development team’s last known communication to investors was on Jan. 18, before going quiet.
The @Hector_Network suffered its 3rd hack this monday. Its almost certainly an inside job from a disgruntled dev team.
I’ve created a post-mortem of this exploit, explaining how several deployer wallets orchestrated this event.https://t.co/HdK6JCO04R
— lilbagscientist (@lilbagscientist) January 19, 2024
The origins of the HectorDAO hack
The story of HectorDAO begins in 2021, when its early investors were allowed to buy the DAO’s token, HEC, at a discount through DAO bonds. The funds raised through this process went into the DAO’s treasury, where, theoretically, each HEC token represented ownership of a portion of the treasury, which could be reinvested to produce yield for tokenholders.
At its height, the HectorDAO treasury held over $100 million in digital assets.
But troubles began with the onset of the crypto winter. By May 1, 2023, HEC’s price had collapsed by nearly 99%, according to data from CoinMarketCap. At the same time, the HectorDAO treasury also declined in value.
These difficulties accelerated when the $1.5 billion Multichain bridge hack on July 6, 2023, caused contagion in the Fantom ecosystem. This led to another $8 million in losses for HectorDAO, as some of its treasury assets depegged from their Ethereum collateral.
After this incident, HectorDAO investors decided to call it quits, voting in July 2023 to liquidate the DAO and return its funds to users. Despite the vote, however, most of the $16 million held by the treasury at the time of the vote had yet to be distributed to investors by Jan. 15, 2024, on the eve of the HectorDAO hack.
On Jan. 15, the HectorDAO team attempted to finally distribute treasury funds by moving them into a new contract from which they could be redeemed. However, a malicious account immediately transferred $2.7 million worth of assets to itself after depositing only 0.0001 HEC.
Shortly afterward, the team shut down the redemption platform, and all remaining assets were moved back to the treasury contract. The redemptions have not been reopened since.
On Jan. 18, the HectorDAO team announced that the redemption platform had been hacked. “Hector Network regrets to inform you that there has been a security breach when the protocol was redeeming token holders as part of liquidation, and approximately USDC 2.7 million have been stolen on 15 January 2024,” it stated.
The team claimed it was “actively investigating” the breach and would provide updates in the future. In the meantime, it stated, “the redemption process is postponed for now.”
In the wake of the hack announcement, some tokenholders squarely blamed the development team, claiming that the hack was either the work of a rogue developer or a compromised private key. They argued that the team could no longer be trusted to secure the DAO’s funds.
1/ Members of the @hector_network community have recently expressed concern that they believe the redemption contract was exploited earlier for $2.7m.
A cursory investigation of the facts pic.twitter.com/EBDrZSverJ
— 0xBoboShanti (@0xBoboShanti) January 15, 2024
On Jan. 19, blockchain analyst Lilbagscientist released a detailed post-mortem report on the attack, citing data from Etherscan. According to them, preparations for the attack began on Dec. 16, 2023, when the HectorDAO deployer account sent 0.0001 HEC to the attacker. This 0.0001 HEC sat in the account until Jan. 15.
From 12:32 am UTC through 12:43 am on Jan. 15, a series of 14 transactions were submitted to Ethereum by the HectorDAO team’s Treasury Multisig Wallet. When confirmed, these transactions resulted in some of the treasury funds being moved to the HectorDAO Temporary Treasury Multisig, while others were sent to the Hector Liquidation Manager.
The Hector Liquidation Manager then swapped some of the tokens for others on a decentralized exchange before sending them to the Temporary Treasury Multisig. At the end of this process, the entirety of the HectorDAO treasury had been sent to the Temporary Treasury Multisig.
Between 3:14 am and 4:19 am on Jan. 15, an additional 16 transactions were performed by the Temporary Treasury Multisig, moving the funds to the Hector Redemption Treasury contract.
At 5:12 am, the attacker made a token approval, allowing up to 1 HEC to be spent by the Hector edemption Contract. Immediately afterward, they deposited 0.0001 HEC into the contract.
One minute later, the team’s deployer account whitelisted the attacker’s wallet by calling the addEligibleWallet function on the platform’s Token Vault contract. This transaction also set the rate of redemption at $2.7 million worth of USD Coin (USDC).
At 5:59 am, the attacker called mintWithdraw on the Token Vault contract. This caused the Hector Redemption Contract to send $2.7 million in USDC to the attacker and burn the 0.0001 HEC that had been deposited. This transaction completed the attack.
No clear steps forward
The HectorDAO website’s most recent update was posted on Jan. 18. The last paragraph states that the redemption process is “postponed for now.”
“Hector Network is working tirelessly to address this, is committed to maintaining transparency throughout this process and will keep you updated on any developments,” the team wrote.
Meanwhile, HectorDAO investors say that they are considering legal action amid repeated failed efforts to contact the protocol’s developers. Originally, payments were scheduled for March to compensate investors as the DAO liquidates. An investigation into the hack continues.
Cointelegraph attempted to contact the HectorDAO team for comment but did not receive a response by the time of publication.