PeopleDAO, an organization established to acquire a copy of the U.S. Constitution, lost 76.5 ETH ($120,000) on the 6th of March 2023 as a result of a social engineering attack that targeted the project’s Google Sheets form for monthly contribution payouts.
The team admitted that numerous flaws contributed to the theft. First and foremost, the project’s accounting lead unintentionally posted a link to the payout form to a public Discord channel with edit access. A 76.5 ETH payment and the hacker’s address were added to the form using this edit access. This row on the form was then rendered invisible by the hacker.
Secondly, the team missed this concealed row on the form during their cross-checking. This was also missed by the multi-signature signers who carried out the transfers following the transmission of form data to the Safe airdrop tool. The 76.5 ETH payment was consequently transferred to the attacker’s wallet. The hacker thereafter sent the ether to two centralized exchanges, HitBTC and Binance, with 69.2 ETH ($110,000) going to the former and 7.3 ETH to the latter.
To find the hacker, PeopleDAO revealed its collaboration with blockchain security professionals including ZachXBT and SlowMist. PeopleDAO had also reported the incident and the hacker’s communication channels to American law enforcement officials. If the hacker returned the money, PeopleDAO would pay them a 10% white hat bounty. At the time of reporting, the hacker had not reacted to this offer.
Speaking with the Block, the team claimed it was taking precautions to prevent similar occurrences in the future. The team reiterated that they would strengthen their multi-sig and accounting education.
The team also disclosed the adoption of technologies built on Safe that enhance the signer experience. To make this seamless, PeopleDAO plans to host demo sessions with team members, teaching them how to use these tools to prevent the occurrence of similar attacks.