Jesus once said, “Ask and it will be given to you,” but the decentralized crypto project, PeopleDAO, learned this lesson the hard way. A smart individual was able to add themselves to the payout table and hide the row, allowing them to receive payouts without detection. PeopleDAO regularly makes small payouts to participants using a table created with Google Sheets and communicates via a Discord instance. Unfortunately, a team member accidentally posted a link to the editable table without a password, allowing the stranger to add a fake payment line and transfer more than 76.5 Ethereum to their wallet. The hacker quickly hid the line so that it would not be detected during a visual check. The total amount taken was worth around $120,000.
PeopleDAO has learned three important lessons from this experience. Firstly, they aim to secure access to the table used for account management to prevent unauthorized amendments. Secondly, signatories must check all details thoroughly before approving payments. Lastly, the team aims to improve the user interface to show the total amount to be released, making it more user-friendly.
PeopleDAO evolved from a project called ConstitutionDAO, which raised more than $40 million in 2021 to bid on a surviving original print of the US Constitution. Unfortunately, they didn’t explore the mechanisms behind auctions and another buyer purchased the document. ConstitutionDAO became PeopleDAO, an incubator that aims to help build more successful DAOs. If the hacker voluntarily returns the transfer, PeopleDAO will reward them with ten percent.
In conclusion, this unfortunate incident serves as a reminder to all DAOs to ensure that their systems are secure and reliable. PeopleDAO has taken steps to prevent future hacks and is working to improve its organization. Hopefully, their experiences will encourage other blockchain-based organizations to improve their security measures as well.
