Beosin’s Full Analysis of Build Finance’s Governance Takeover Incident: the Hacker Has Profited About $1.12 Million
Beosin Eagle-Eye has detected that Build Finance DAO suffered a governance attack. Our team has conducted a detailed analysis of this incident. Here are our findings:
#1 Incident overview
The Build Finance DAO suffered a “hostile governance takeover” on Feb.14th 2022. The hacker managed to take over the Build token contract by obtaining enough votes, minted over 1 billion BUILD tokens in three transactions, and drained most of the funds in balancer and Uniswap liquidity pools. After the incident, the project team advised users on Twitter not to buy BUILD tokens on any platform. The following is our detailed analysis of this incident:
#2 Detailed analysis
Through analysis of the transaction, it was found that on February 12, 2022, the build fiance project minted more than 1 billion BUILD tokens to the 0xdcc8A38A address for three times.
Then the 0xdcc8A38A address drained the project party’s pool through Uniswap V2: BUILD to swap the 1 billion tokens.
Observing the transaction details, we find that the address that calls the mint function of the Build token contract is also 0xdcc8A38A.
In the figure below, we find that the address that calls the mint function can only be the government address. Here the mint address is 0xdcc8A38A, which means that the current governance authority of the contract has been obtained by the address 0xdcc8A38A.
It can be seen from the code that the original governance authority belongs to the creator of the contract, which is the address 0x2Cb037BD6B7Fbd78f04756C99B7996F430c58172 in the figure below.
So how is the governance authority transferred to 0xdcc8A38A?
We found clues through a transaction on September 4, 2020. The transfer of governance can only be achieved through the setGovernance function in the contract. During this period, the 0x2Cb037BD contract creator must have used the setGovernance function to transfer the authority.
By looking up the transaction records of the 0x2Cb037BD address, we find that the creator used the setGovernance function on the same day. The transaction hash is 0xe3525247cea81ae98098817bc6bf6f6a16842b68544f1430926a363e790d33f2.
By looking up the internal Storage, the permissions are transferred to the 0x38bce4b45f3d0d138927ab221560dac926999ba6 address instead of the 0xdcc8A38A attack address mentioned above. The transaction hash is:
By continuing to follow up the 0x38bce4b address, we find that it is a Timelock contract, and the function in the contract that can call the setGovernance function is only the executeTransaction function.
We follow the executeTransaction function and find the Storage in it.
The authority of 0x38bce4b45f3d0d138927ab221560dac926999ba address was transferred to 0x5a6ebeb6b61a80b2a2a5e0b4d893d731358d888583.
By following the 0x5a6ebeb6 address, we know that the proposal was initiated by suho.eth on February 9, 2022, and the vote of the 0xdcc8A38A malicious address was passed on February 11, 2022, whose authority has been changed to 0xdcc8A38A 4 days ago.
The governance of the proposal initiated by suho.eth has changed, and the threshold set for voting is low, which leads to the proposal being passed. Through calling, the governance of the build contract is changed to 0xdcc8A38A address.
Here are some of the codes from 0x5a6ebeb6b61a80b2a2a5e0b4d893d731358d888583 address.
After this address obtained the governance authority, the 0xdcc8A38A address minted about 1 billion build tokens to itself through the mint function of the build token contract, and drained the liquidity of the pool.
The flow chart is as follows:
The attacker used a similar technique to transfer the tokens held by another governance contract. The total profit is about $1.12 million, including 162 ETH, 20,014 USDC, 481,405 DAI, and 75,719 NCR.
Finally, Beosin hereby reminds: DAO contracts should set appropriate voting thresholds to achieve true decentralized governance, so as to avoid a small number of votes to allow the proposal being successfully executed. It is recommended to refer to the implementation of the governance contract officially provided by openzeppelin.