This is What a Hostile Takeover Looks Like in Crypto
An unknown attacker took control of the Build Finance DAO. The attacker emptied the DAO's treasury and liquidated BUILD token.
Why Build Finance was a Good Target
Build Finance DAO was a "decentralized venture builder." The idea was that investors would buy BUILD tokens, then Build Finance would buy other assets to store in its treasury. In turn, the decentralized autonomous organization (DAO) would fund other projects using its BUILD tokens. MetricExchange (METRIC) is one of Build Finance's main investments.
Build Finance was not a large or active project. Before the takeover, DAO members had complained of slow progress on new development and limited communication from the core team. Despite slow product growth, Build had about $500k worth of crypto in its treasury–mostly in DAI, BUILD, and METRIC tokens.
Build Finance's DAO had an unusual governance model that allowed the owner of a single smart contract to mint BUILD tokens and control the treasury. In addition to its somewhat inactive community, this software design quirk made Build Finance a good target for a hostile takeover, because a single vector could give an attacker total control over the DAO.
“As things stand, the attacker has full control of the governance contract, minting keys and treasury. The DAO no longer has control over any part of the key infrastructure.”
- Build Finance, in the project's Discord
How Build was Taken Over
According to Build Finance, on February 9, a wallet named Suho.eth submitted a DAO proposal that would let him or her mint BUILD tokens without the DAO's approval–in effect, taking over the project. This proposal was voted down.
On February 10, Suho.eth sent tokens to another wallet and re-submitted the takeover proposal. This proposal was not picked up by Build Finance's Discord bot to alert voters, and it passed unnoticed.
After the takeover, the attacker–as Build Finance's old boss calls its new boss–disabled the project's docs and Discord bot. Build Finance's old boss believes the attacker was trying to hide his or her next steps.
Build Finance: Under New Management
According to Build Finance's old boss, the attacker used Build Finance DAO's permissive governance contract to empty the treasury and liquidate the BUILD token.
First, the attacker minted 1.1M BUILD tokens and used them to drain BUILD's liquidity on decentralized exchanges (DEXs) Balancer and Uniswap. Then, the attacker took 130k METRIC tokens from the Build Finance DAO's treasury and used them to drain liquidity on a couple DEXs.
Once the major liquidity was drained from BUILD, the attacker minted another 1B BUILD tokens and used them to drain all remaining liquidity in the project. The attacker then sent the funds to crypto tumbler Tornado Cash to hide their origin. Based on analysis of the attacker's transactions, it appears he or she took about 160 ETH, worth roughly $500k.
The Damage Seems to be Permanent
Before the takeover, BUILD's market cap was around $200k, and its treasury assets were worth around $500k. Today, BUILD's market cap is just $500–a 99.7% drop–and its treasury is empty. The entire process took about three days.
The Future of Build Finance
The attacker still controls the DAO, and it's unclear what will happen to the project. MetricExchange continues to operate, and the attacker has no control over the supply of METRIC tokens.
For now, Build Finance's old boss has just one suggestion: Do not buy BUILD tokens on any platform.