A Technical Post Mortem of SuperUMAn DAO (SuDAO) Hack — Flaws In Existing Governance Tools
Most DAOs today safeguard their treasuries using the Gnosis Safe Multisig wallets, one of the most popular smart contract wallets in the Ethereum ecosystem. Gnosis Safe offers flexibility through modules that are akin to what extensions are to modern browsers.
The SuDAO (SuperUMAn DAO) uses a Gnosis Safe Multisig wallet. In addition, it uses Snapshot in conjunction with the Zodiac Reality Module for the on-chain implementation of the governance votes.
Summary
On 1st Oct 22 (03:34:16 PM +UTC), a malicious proposal was executed, resulting in the loss of funds from SuDAO’s treasury wallet on Polygon.
Following the exploit, the team investigated the incident and prepared the following report.
As publicly reported, the incident resulted from executing a malicious proposal submitted to the Reality module that bypassed Snapshot. The attacker(s) exploited a known feature vulnerability of the Gnosis Safe whereby a Gnosis Safe Module (Zodiac Reality) can execute a transaction without any confirmation from the owners) coupled with a design flaw of Reality.ETH.
The funds lost were over 56K USD at the time of the hack.
Sequence of Events
On 30th Sep 22, 02:51:17 PM + UTC, the attacker(s) submitted a malicious proposal to Reality.ETH bypassing Snapshot for on-chain implementation.
This proposal was identical to an earlier legitimate proposal that the SuDAO had passed a month ago.
The image below displays the input data from the original proposal.
The malicious proposal, however, added functions to enable it to drain the SuDAO’s Polygon wallet.
Any proposal submitted to Reality.ETH has a dispute window. In the case of SuDAO, there was a timeout of 12 hours to dispute the proposal.
In the absence of a current ongoing vote, the proposal went unnoticed. The Reality.ETH tracker in Discord is not customized for a specific wallet and tracks all the resolution requests of Reality.ETH.
The malicious proposal was executed on 1st Oct 22 at 03:34:16 PM +UTC (more than 24hrs after the proposal). There needs to be clarity as to why the proposal did not auto-execute after the timeout of 12 hours plus a 1-hour cool-down period.
Brief Report
Gnosis Safe Modules enable additional access-control logic for Gnosis Safe accounts. As a result, Gnosis Safe accounts can be controlled by two means. One, by the account owners, using their signer keys, and the other by optional modules with custom access logic. For example, 5 out of 7 owners can control a Gnosis Safe account, and an additional module allows an admin key that controls the Gnosis Safe account with just one single signature.
Zodiac Reality Module (formerly SafeSnap) is a Gnosis Safe Module that allows on-chain execution based on the outcome of events reported by Reality.ETH oracle. It executes Gnosis Safe transactions according to the Snapshot proposals without needing any signatures from the account owners.
The attacker(s) exploited this known feature vulnerability of the Gnosis Safe, whereby
“Any attached module can execute transactions from the wallet without any confirmation from the owners. In other words, modules can be more powerful than the owners themselves. Once a module is attached to a wallet, it can freely call the execTransactionFromModule function, which allows the execution of actions without confirmations.” (OpenZeppelin, March 2020)
The attacker(s) were able to locally simulate legitimate transactions using Reality.ETH’s patterns, injecting malicious transaction data into the EIP712 hash associated with the proposal. Then, using this hash, they created a fake proposal with the same text format as used by the SUDAO and other DAOs through the Zodiac Reality Module.
The attacker(s) used the proposal_id of a recently passed Superuman proposal (Additional Ambassador Compensation) that saved the malicious proposal from being caught by a random onlooker at a surface level. The proposal passed since nobody raised any alarm during the proposal period.
Gnosis Safe Modules are allowed full access to convey any transactions and function calls, hence, once the proposal was passed, the transaction was deemed correct, the approve() and transfer() functions were called, and the funds were drained, all without the actual caller (i.e., the Attacker) being an owner or signer of the Safe.
Event Timeline
On 28th Sept 22, a member of the Opium Protocol team posted the following on Twitter:
There were several notifications in Reality.ETH discord channel on the 28th, 29th, and 30th of Sept 22. These arise for any proposal and not just ones concerning the SuDAO.
On Sat, 1st Oct 22, the following notifications appeared in the SuDAO-wallet discord channel:
A low-level investigation revealed that the hack was carried through a malicious proposal submitted via Reality.ETH.
Post Incident Plan
The attacker(s) had attacked SuDAO’s Polygon Safe wallet. As the Gnosis Safe Module (Zodiac Reality) was still attached to the ETH Treasury Safe, the funds were transferred to a new multi-sig.
We conclude that we do not have any way of recovering the stolen funds. However, it brings to light a crucial design flaw in Reality.ETH that puts every user at risk.
End Report
In order to drive governance, DAOs have resorted to off-chain voting solutions. These are supposed to make participation accessible by saving gas costs, yet governance is still a challenge. The existing off-chain governance systems rely on oracle systems for on-chain execution, which can be exploited.
Blockchains and smart contracts are self-contained closed systems that cannot access data outside the network. Blockchains only understand internal data like wallet addresses, balances, NFT metadata, block data, etc. However, several contractual agreements necessitate access to off-chain data for execution, and oracles make this possible by feeding off-chain data for on-chain execution.
In the absence of oracles, smart contracts would have minimal use. DeFi relies heavily on oracles, fundamental to almost all smart contracts whose execution is connected to real-world events. Blockchain oracles do not constitute the data source themselves. Instead, the oracles query, verify and authenticate external data and then relay the information to the enclosed network.
While oracles are viable solutions for bringing external data to on-chain environments, they are third-party entities (affecting decentralization) whose reliability needs to be trusted (affecting trustlessness).
In light of the recent exploit that has drained SuDAO’s treasury of over 56k USD and the treasuries of other DAOs, it is imperative to highlight the issues and flaws of Gnosis Safe Modules, especially the Zodiac Reality Module that uses Reality.ETH. Some of these existing composable governance and treasury management tools have been adopted without thorough vetting and configuration, thus posing a threat risking millions of dollars in treasuries.
Flaws of Existing Governance Tools
The Zodiac Reality Module belongs to the Zodiac collection of tools available on Gnosis Safe. It uses Reality.ETH as an oracle for triggering the execution of transactions approved through a Reality.ETH question.
Reality.ETH works through a question-answer interaction. Users interact with a smart contract through questions. The questions are answered by Reality.ETH users. The question asked on Reality.ETH consists of a proposal ID (e.g., an IPFS hash), which can be used to provide more information for the transaction to be executed, as well as an array of EIP-712-based transaction hashes that represent the transactions that should be executed.
Once a question has been asked on Reality.ETH, anyone can answer it by putting up a bond they are willing to lose if proven wrong. The system is designed so that any user can challenge and override the previous answer by submitting a higher bond. It is supposed to incentivize the correct answer to trigger the right outcome on-chain.
Users who use Reality.ETH have the option to elect an arbitrator to settle disputes. The answer with the highest bond is automatically chosen if no arbitrator is selected. If the DAOs have made the mistake of electing themselves as arbitrator, they are responsible for settling the dispute. If they lose access to the keys (permanently or temporarily), the system behaves like a no-arbitrator configuration.
After an answer has been selected as the truth, there is a grace period in which the Gnosis Safe signers can veto the decision. It is challenging and requires round-the-clock monitoring to scan all the incoming Reality.ETH question requests.
Let us understand the design flaws of this model. First and foremost, in the absence of an arbitrator, the design incentivizes the highest bidder (similar to the Dollar Auction game). If a highly capitalized malicious actor decides to answer a question incorrectly, they will likely succeed by being able to outspend their adversary.
The second concerns the reliance on human actors. Any malicious actor can create a request. If the DAO fails to monitor such requests, malicious resolutions will pass without the DAOs knowledge. The system requires 24x7 staffing. Multisig members cannot always be on-call with access to their signing keys.
For more understanding, read @isaacpatka’s article.
Conclusion
Web3 is early & still in the building stages. The whole industry is at its lowest in the aftermath of the FTX tsunami. Therefore, it becomes critical for projects to highlight any potential vulnerabilities that can affect the end user. In addition, developers and projects must remember that Web3’s whole ethos is transparency and responsibility. Without that, we are no different from any other legacy system.
DAOs should address voter apathy and burnout by incentivizing governance as far as possible. Composability is important for Web3 to drive adoption; however, adding modules without proper vetting can have disastrous & far-reaching consequences.
The lack of warning & documentation on the power of modules allows for dangerous attack vectors. Attacker(s) can easily exploit multi-sig wallets via unsafe modules until Gnosis raises far more end-user awareness on the perils of malicious modules.
SuDAO now awaits the release of the Optimistic Governance module that will be used instead of Reality.ETH. The module will give the protocols more power to challenge invalid transactions.
A shoutout to @neondaemon3, @pennepanda, @G_0neT2 & other @SuperUmans for helping with this report.
If you find this helpful, please support through subscribing and following.
Everythingblockchain 🧐 — Freethinkers, Writers ✍, Blockchain explorers 🔭
In pursuit of simplifying the different blocks of the chain metaverse
Socials
Twitter, Medium, Youtube, Reddit, Substack
Referrals
Braintrust, Presearch, Binance, Kucoin
The information provided through this work is intended solely for educational purposes and must not be treated as investment advice. Any lapses in presenting any of the information correctly are ours alone. We disclaim any liability associated with the use of this content.
New to trading? Try crypto trading bots or copy trading