After the $2.7 million hack, Hectordao’s silence shocked investors
Investors in the decentralized autonomous organization Hector are demanding control of the protocol's remaining funds after a January 16 hack cost Tea on the Phantom network $2.7 million.
In a conversation with Cointelegraph, a HectorDao investor who wished to remain anonymous revealed that the HectorDao team stopped communicating with the community on January 19. According to the source, all of the project's social channels have been muted by September 2023.
At that time, the Hectordao team still allowed contact via Google Team email addresses. However, DAO reportedly deleted this group sometime before January 19th.
To make matters worse, the hack happened just as the protocol was planning to release itself and return the assets to investors. Earlier security warnings were allegedly ignored.
According to blockchain security firm CertiK, the researchers informed the HectorDao team of the “centralization” threat, which is the root cause of the exploit, through the “adEligibleWallet” function, and recommended measures to prevent this threat.
The HectorDAO team reportedly chose not to implement the recommended changes for unknown reasons. Citing Cointelegraph to its official audit report, Certike stated that the function can be called by any account with moderator rights.
Hectordao tells a different version of the story, that the protocol contacted Certike to conduct an in-depth contract security analysis and that, contrary to Certike's statement, “all assets are held in the ransom vault before starting the product claim process.” He said.
Blockchain analysis has since suggested that the attacker had access to the group's deployment account, indicating that the exploit was the result of an inside job or private key compromise. The development team's last known contact with investors was on Jan. 18, before going quiet.
@Hector_Network has been hacked for the 3rd time this Monday. It's definitely the inside job of a frustrated Davy team.
I created a post-mortem of this exploit explaining how several hacker wallets set up this event. https://t.co/HdK6JCO04R
— lilbagscientist (@lilbagscientist) January 19, 2024
Origin of the HectorDAO hack
The history of HectorDAO begins in 2021, when its first investors were allowed to buy the DAO's token HEC at a discount with DAO bonds. Funds collected through this process are deposited into the DAO's treasury, in theory, each HEC token represents ownership of a portion of the treasury that can be reinvested to produce products for the tycoons.
At its peak, HectorDao's treasury held more than $100 million in digital assets.
But problems started early in the crypto summer. In the year By May 1, 2023, HEC's price had fallen by nearly 99%, according to CoinMarketCap data. At the same time, Hector Dao's treasury also fell in value.
In the year These problems were accelerated on July 6, 2023, when the $1.5 billion Multichain Bridge hack caused contamination in the Phantom ecosystem. This resulted in another $8 million loss for HectorDAO as some of its treasury assets were bailed out of Ethereum.
After this incident, HectorDao investors decided to end the Dao by voting in July 2023 to destroy it and return the money to the users. Despite the vote, the majority of the 16 million dollars held by the Treasury during the vote had to be distributed to investors on January 15, 2024, the eve of the Hectordao hack.
On January 15, the Hectordao Group finally moved to a new contract where it attempted to distribute treasury funds. However, a malicious account transferred $2.7 million worth of assets to itself after depositing only 0.0001 HEC.
Soon after, the group closed the redemption platform and all remaining assets were transferred to treasury contracts. The ransoms have not been reopened since then.
On January 18, the HectorDAO team announced that the redemption platform had been hacked. “Hector Network is saddened to inform you that there was a security breach when the protocol issued token holders as a liquid entity and approximately $2.7 million dollars was stolen on January 15, 2024,” he said.
The group said it was “actively investigating” the breach and would provide updates in the future. In the meantime, he said, “the redemption process has been postponed for now.”
Following the announcement of the hack, some token holders rightly blamed the development team, claiming that the hack was a pirated developer or private key. The group argued that it could no longer be trusted to secure the DAO's funds.
1/ The redemption contract of @hector_network community members was earlier at 2.7 million.
Fact check pic.twitter.com/EBDrZSverJ
— 0xBoboShanti (@0xBoboShanti) January 15, 2024
Related: 3 Red Flags A Crypto Project Could Mislead Investors
On January 19, blockchain analyst Lilbagscientist released a detailed post-mortem report on the attack, citing Etherscan data. According to them, the preparation for the attack began on December 16, 2023, when the HectorDAO distribution account sent 0.0001 HEC to the attacker. This 0.0001 HEC is kept in the account until January 15.
On January 15th from 12:32 am UTC to 12:43 am, a series of 14 transactions were submitted by the HectorDao Group Treasury Multisig wallet for Ethereum. When verified, these transactions resulted in some treasury funds being transferred to HectorDAO's temporary treasury multisig, while others were sent to Hector's Liquidity Manager.
Hector's Liquidity Manager swaps some of the tokens for others on a decentralized exchange before sending them to the temporary treasury MultiSig. At the end of this process, the entire Hectordao treasury was sent to the temporary treasury Multisig.
Between 3:14 am and 4:19 am on January 15, an additional 16 transactions were made in the Interim Treasury Multisig, transferring the funds to Hector Redemption Treasury contracts.
At 5:12 AM, the attacker issued a token certificate, allowing up to 1 HEC per hectare to be spent on renewal contracts. You immediately put 0.0001 HEC into the contract.
A minute later, the team's deployer account authorized the attacker's wallet by calling the addEligibleWallet function on the platform's TokenWallet contract. This transaction set the redemption amount at $2.7 million in US Dollar Coins (USDC).
At 5:59 AM, the attacker called mintWithdraw on the Token Vault contract. This resulted in the Hector ransom contract sending $2.7 million to the attacker and burning the saved 0.0001 HEC. This transaction ended the attack.
There are no clear steps forward
The most recent update of the HectorDAO website was posted on January 18th. The last clause says that the redemption process is “adjourned for the time being.”
“Hector Networks is working tirelessly to address this, is committed to maintaining transparency throughout this process and will provide updates on any developments,” the team wrote.
Meanwhile, HectorDao investors say they are considering legal action despite repeated efforts to contact the protocol's developers. Originally, payments were scheduled for March to compensate investors when the DAO was dissolved. The investigation into the abduction is ongoing.
Cointelegraph attempted to contact the HectorDao team for comment but did not receive a response as of press time.
RELATED: Crypto With BNB Chain Extinction Dropped By 85% By 2023
