Skip to content
Blockchain Posts

exploit

Aragon DAO governance takeover drains $1.58M from Token of Power

An attacker bought >50% of a 16,384-supply MiniMeToken, used a no-timelock Aragon Voting app to mint 10B TOP in a single tx, and swapped them for 944.2 WETH from a Balancer V1 pool.

by 5 min read
exploitgovernanceethereumaragonbalancer

An unknown attacker hijacked the Token of Power (TOP) DAO on Tuesday, June 9 and drained 944.2 WETH (~$1.58M) from a Balancer V1 TOP/WETH pool. The mechanism was not a Balancer bug: the attacker exploited the TOP project's Aragon DAO configuration, acquired a majority of the MiniMeToken supply, and used the Aragon Voting app — deployed with no execution timelock — to create, vote on and execute a proposal minting 10 billion fresh TOP to a contract under their control, in a single transaction. The wallet that funded the operation pulled its starter ETH out of Tornado Cash and routed the proceeds back into Tornado Cash after the drain.

What happened

TOP shipped as an Aragon DAO governance token built on the legacy MiniMeToken standard (source contract on GitHub). MiniMeToken is the same minting-and-snapshot template that historically underpinned ANT and several Aragon-organized DAOs.

The fatal combination on TOP, called out by Blockaid and confirmed independently by Cyvers and PeckShield:

  • Microscopic supply. The total supply was 16,384 TOP. Acquiring a majority cost the attacker roughly 663 WETH on the same Balancer V1 pool they later drained.
  • No timelock. The Aragon Voting app permitted create → vote → execute inside a single transaction. There was no enacted delay between a winning vote and the call hitting the TokenManager that controls minting.
  • No mint cap. The TokenManager kept the unrestricted mint permission MiniMeToken exposes, so a passing proposal could allocate any quantity to any address.

In one transaction the attacker proposed, voted with their 8,192.000001 TOP (>50% of supply), executed the proposal, minted 10,000,000,000 TOP to an exploit contract, then swapped that fresh supply through the Balancer V1 pool, extracting 944.2 WETH in the process. The attacker subsequently deposited roughly 945 ETH into Tornado Cash.

On-chain trail

  • Exploit transaction: 0x967aa34c69b7775c718545c7f94d92e965eb5fc553c0f27f6f1a9c65c93ac156
  • Exploit contract: 0x25c68C44A96518294f5B47D758f98309c6729A21
  • Attacker EOA (funded from Tornado Cash): 0xff8eF7bC455a57e5893232203052Ce0232b39Fa2
  • TOP token contract: 0x0EBD5eC91680d3B0CEDbb1d5BB61851154D3eDb6

The TOP team has not published an incident report at time of writing; these identifiers come from Blockaid, Cyvers and PeckShield posts on X, mirrored across the secondary outlets cited below. They can be checked directly on Etherscan or any explorer that indexes the TOP token contract.

Numbers

- Drained from Balancer V1 TOP/WETH pool : 944.2 WETH (~$1.58M)
- Attacker acquisition cost             : ~663 WETH on the same pool
- ETH routed back into Tornado Cash     : ~945 ETH
- TOP total supply before exploit       : 16,384 TOP
- Attacker pre-exploit holding          : 8,192.000001 TOP (>50%)
- Newly minted TOP                      : 10,000,000,000 (≈ 610,352× original supply)
- Attack execution                       : 1 transaction (no timelock)

USD figure derived from the WETH amount at prevailing ETH price in the source reports. The Balancer protocol itself was not affected; the pool was the venue, not the target.

Skeptical attribution

No public attribution to a known actor (Lazarus, an OFAC-listed entity, an indicted ring) has been made. The attacker EOA was bankrolled out of Tornado Cash and the proceeds were laundered back through Tornado Cash, which is consistent with an operator deliberately denying clustering data — not consistent with a specific named group. Until a regulator, indictment, or sourced labeling firm puts a name on the wallets, this is correctly read as an anonymous governance-takeover operator.

What to watch

  1. Disclosure from the TOP project. No incident statement, no patch plan, no signal that the TokenManager mint permission has been revoked or burned. Until the project ships a post-mortem with a path to revoking unbounded minting, the pool that was drained will not be the only attack surface.
  2. Balancer V1 pools tied to other Aragon DAOs. Any project still running the MiniMeToken + Aragon Voting + Balancer V1 combination with a tiny supply, no timelock and an unrestricted mint permission has the same primitive available. The cost of attack is bounded by liquidity, not by sophistication.
  3. Tornado Cash flows. The 945 ETH deposit will sit in the standard pools; OFAC-aware venues should already be tagging downstream withdrawals. Watch which CEXs publish freezes referencing the TOP exploit attacker EOA.
  4. Aragon defaults. Aragon's modern stack (Aragon OSx) ships timelocks and minting caps. This exploit lands on a legacy deployment configuration that newer Aragon apps no longer encourage. Whether Aragon comments on the misconfiguration pattern publicly will matter for the dozens of small-cap DAOs still running the old setup.

Context — governance takeovers, not contract bugs

This is now the second governance-attack class incident in Blockchain Posts' recent rotation, after the multisig-keys pattern we covered with Humanity Protocol's $36M Hyperlane drain on June 9 and the Gnosis Pay Zodiac Delay Module exploit on June 1. The mechanism here is distinct — no key compromise, no module bug — but the failure mode rhymes: the contracts behaved exactly as written; the configuration behaved exactly as configured. A 16,384-supply MiniMeToken with a TokenManager that mints without ceiling, voted on by an Aragon app that executes without delay, is a faucet with the lever in the open.

Until small-cap projects either (a) ship with timelocks and mint caps by default, or (b) get their governance frontends — Tally, Snapshot proxies, Aragon dashboards — to refuse to display DAOs whose minting permission is uncapped, this class of attack is repeatable at the cost of a majority stake. On a token with a 16,384-unit supply, that cost is laughably low.

Sources:

Related stories