Token of Power DAO Drained in Single Transaction Without Timelock

Published by James Harris on

Token of Power DAO Drained in Single Transaction Without Timelock — Ethereum

What You Need to Know

  • Attacker acquired 50% governance control of Token of Power DAO and drained 944 WETH in single transaction.
  • DAO lacked timelock mechanism, allowing proposal creation, voting, and execution to occur atomically without stakeholder response window.
  • Token supply of only 16,384 units made controlling stake cheap to accumulate without requiring flash loan.
  • Attacker used Tornado Cash to fund wallet, complicating fund recovery despite WETH remaining traceable onchain.

Governance attacks are usually slow. This one cleared majority control, passed a proposal, minted new tokens, and drained a liquidity pool in a single transaction.

The exploit against the Token of Power DAO followed a path that has become increasingly familiar since the Beanstalk hack in April 2022, where an attacker used a flash loan to acquire temporary governance majority and drain $182 million in a single block. TOP’s version was structurally simpler: the token supply was only 16,384 units, making a controlling stake cheap to accumulate over time rather than requiring a flash loan. The attacker held 8,192.000001 TOP, just over 50%, which was sufficient to pass proposals unilaterally through Aragon’s voting infrastructure. The critical failure was the absence of a timelock, the standard mechanism that introduces a delay between a proposal passing and its execution, giving other stakeholders a window to respond. Without it, proposal creation, voting, and execution collapsed into one atomic transaction, and the 944 WETH sitting in a Balancer V1 liquidity pool had no protection beyond the governance configuration that had already been compromised.

Balancer’s protocol was not exploited. The pool was simply where inflated TOP tokens were converted into something worth keeping.

The attacker funded the wallet through Tornado Cash before execution, which is now a routine operational step in sophisticated DeFi exploits and meaningfully complicates any recovery effort regardless of how traceable the WETH remains onchain. Neither the TOP team nor Aragon has issued a statement, which matters because Aragon’s own documentation explicitly flags token minting and fund movements as functions requiring restricted access controls. The gap between what the documentation recommends and what TOP’s deployment enforced is the entire story here. For any DAO running on Aragon or comparable governance infrastructure with a small token supply and meaningful treasury exposure, this incident is a direct prompt to audit timelock configurations, not a general cautionary tale.

The broader implication is for the long tail of small DAOs that launched governance infrastructure during 2021 and 2022 without sustained technical oversight afterward. Low-cap tokens with concentrated supply and live treasuries are a category of target, not isolated edge cases, and the cost of accumulating a controlling stake in many of them has only decreased as token prices have fallen from cycle highs. Security firms flagged this incident quickly, but detection after execution is not a defense.

Source: Attacker drains $1.58M from Token of Power pool via Aragon DAO governance exploit (cryptopolitan.com)

Categories: News

James Harris

Hi, I’m James Harris, dad of three, professional coffee maker (not drinker, as I make it for my wife), and the unlucky guy who once lost $48 in a crypto scam. Yep, forty-eight bucks. Not life-changing money, but just enough to sting my pride. That little scam lit a fire in me: if I could get fooled, so could anyone. And that’s how DodgeTheScam.com was born. Now I spend my time turning my mistake into your advantage. I dig into scams, fake sites, and shady schemes so you don’t have to learn the hard way. I keep things simple, honest, and sometimes funny, because staying safe online doesn’t have to feel like homework. My mission? To help you dodge scams, save your hard-earned money, and maybe give you a laugh or two along the way.

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

CFTC Enforcement Actions Drop 75% as Warren Demands Records on Staff Exodus — Bitcoin
News

CFTC Enforcement Actions Drop 75% as Warren Demands Records on Staff Exodus

Senator Elizabeth Warren demands the CFTC provide internal records and account for a 75% drop in enforcement actions since January 2025. The agency faces a capacity crisis—shedding 25% of staff while Congress prepares to hand it primary oversight of digital assets, mirroring a failed regulatory pattern from post-Dodd-Frank.

Bitcoin Tracks Macro Liquidity More Than Supply, Iran Deal Could Shift That — DeFi
News

Bitcoin Tracks Macro Liquidity More Than Supply, Iran Deal Could Shift That

Geopolitical tensions are reshaping crypto's macro backdrop as Trump signals an imminent Iran deal could reopen the Strait of Hormuz, prompting traders to unwind safe-haven positions in gold and oil. Bitcoin's near-term direction hinges on whether capital rotation from metals into risk assets outweighs headwinds from potential rate hikes, making macro liquidity conditions the key driver.

World Liberty Financial Extracted $500M Before AIFC Investors Knew What They Owned — Bitcoin
News

World Liberty Financial Extracted $500M Before AIFC Investors Knew What They Owned

The Trump family collected roughly $500 million from a token sale to AI Financial Corp., which has since seen its share price plummet 93% and now warns it may not survive its Nasdaq listing. The deal's structure allowed the Trumps to extract the cash before investors could assess the underlying tokens, which lost 72% of their value.