A group of investors in the Hector decentralized autonomous organization, HectorDAO, on the Fantom network are demanding control over the remaining funds of the protocol after the team allegedly stopped all communication following a hack on Jan. 16 that resulted in $2.7 million in losses.
An anonymous HectorDAO investor revealed to Cointelegraph that the team stopped communicating with the community on Jan. 19, and all social channels were muted in September 2023. The investor also stated that the DAO deleted a Google Group email address, which was previously used for contact, before Jan. 19.
The hack occurred just as the protocol was planning to dissolve itself and return assets to investors. The team reportedly ignored prior security warnings.
CertiK, a blockchain security firm, informed the HectorDAO team about the risk of centralization posed by the “addEligibleWallet” function, which was the root cause of the exploit. They also provided recommendations to mitigate this risk. However, the team chose not to implement the changes for unknown reasons. CertiK referred to its official audit report, which stated that the function could be accessed by any account with moderator privileges.
However, HectorDAO has a different version of events and claims that they engaged with CertiK to conduct a thorough analysis of smart contract security. They also stated that all assets were secured in a Redemption Vault before the launch of the production claim process, contrary to CertiK’s statement.
Blockchain analysis revealed that the attacker had access to the team’s deployer account, suggesting that the hack was either an inside job or the result of a compromised private key. The team’s last known communication with investors was on Jan. 18, after which they went silent.
The Evolution of the Web: From 1.0 to 4.0
The story of HectorDAO begins in 2021, when its early investors were given the opportunity to purchase the DAO’s token, HEC, at a discounted price through DAO bonds. The funds raised from this process were then placed into the DAO’s treasury, where each HEC token represented a share of the treasury that could generate yield for tokenholders.
At its peak, the HectorDAO treasury held over $100 million in digital assets.
However, things took a turn for the worse during the crypto winter. By May 1, 2023, the price of HEC had plummeted by almost 99%, according to data from CoinMarketCap. At the same time, the value of the HectorDAO treasury also decreased.
The situation worsened when the $1.5 billion Multichain bridge hack on July 6, 2023, caused a ripple effect in the Fantom ecosystem. This resulted in an additional $8 million in losses for HectorDAO, as some of its treasury assets became unpegged from their Ethereum collateral.
In response, HectorDAO investors voted in July 2023 to liquidate the DAO and return its funds to users. However, by Jan. 15, 2024, when the HectorDAO hack occurred, most of the $16 million held in the treasury at the time of the vote had yet to be distributed to investors.
On Jan. 15, the HectorDAO team attempted to finally distribute the treasury funds by transferring them to a new contract for redemption. However, a malicious account took advantage of the situation and transferred $2.7 million worth of assets to itself after depositing only 0.0001 HEC.
The team quickly shut down the redemption platform and moved all remaining assets back to the treasury contract. The redemption process has not been reopened since.
On Jan. 18, the HectorDAO team announced that the redemption platform had been hacked. “Hector Network regrets to inform you that there has been a security breach during the protocol’s redemption process, resulting in the theft of approximately USDC 2.7 million on January 15, 2024,” they stated.
The team claimed to be actively investigating the breach and promised to provide updates in the future. In the meantime, they stated that the redemption process would be postponed.
Following the hack announcement, some tokenholders blamed the development team, suggesting that the hack was either the work of a rogue developer or a compromised private key. They argued that the team could no longer be trusted to safeguard the DAO’s funds.
On Jan. 19, blockchain analyst Lilbagscientist released a detailed post-mortem report on the attack, using data from Etherscan. According to the report, the preparations for the attack began on Dec. 16, 2023, when the HectorDAO deployer account sent 0.0001 HEC to the attacker. This small amount remained in the account until Jan. 15.
Between 12:32 am UTC and 12:43 am on Jan. 15, the HectorDAO team’s Treasury Multisig Wallet submitted 14 transactions to Ethereum. These transactions resulted in the movement of some treasury funds to the HectorDAO Temporary Treasury Multisig and the Hector Liquidation Manager.
The Hector Liquidation Manager then exchanged some of the tokens on a decentralized exchange before sending them to the Temporary Treasury Multisig. By the end of this process, all of the HectorDAO treasury funds had been transferred to the Temporary Treasury Multisig.
Between 3:14 am and 4:19 am on Jan. 15, the Temporary Treasury Multisig performed an additional 16 transactions, moving the funds to the Hector Redemption Treasury contract.
At 5:12 am, the attacker approved a token transfer of up to 1 HEC for the Hector Redemption Contract. Immediately after, they deposited 0.0001 HEC into the contract.
One minute later, the team’s deployer account whitelisted the attacker’s wallet by calling the addEligibleWallet function on the platform’s Token Vault contract. This transaction also set the redemption rate at $2.7 million worth of USD Coin (USDC).
At 5:59 am, the attacker called mintWithdraw on the Token Vault contract, causing the Hector Redemption Contract to send $2.7 million in USDC to the attacker and burn the 0.0001 HEC that was deposited. This completed the attack.
Unclear Progress Ahead
The latest update on the HectorDAO website was published on January 18th. The final paragraph reveals that the redemption process has been delayed indefinitely.
The Hector Network team is tirelessly working towards finding a solution and is committed to keeping the community informed of any developments.
In the meantime, investors of HectorDAO are considering taking legal action as they have been unable to reach the protocol’s developers. The original plan was to distribute payments in March as the DAO undergoes liquidation. An investigation into the hack is still ongoing.
Cointelegraph attempted to reach out to the HectorDAO team for comment, but no response was received at the time of publication.
Subscribe to our email newsletter to get the latest posts delivered right to your email.