Investors of the decentralized autonomous organization (DAO) known as HectorDAO on the Fantom network are demanding control of the remaining funds of the protocol. This comes after the team allegedly stopped communicating with the community following a hack on January 16 that resulted in $2.7 million in losses.
According to an anonymous HectorDAO investor who spoke to Cointelegraph, the team ceased communication on January 19. The project’s social channels had already been muted in September 2023. Initially, contact was still possible through a Google Group email address, but the DAO reportedly deleted this group before January 19.
The situation worsened when the hack took place just as the protocol was planning to dissolve itself and return assets to investors. Allegedly, previous security warnings were ignored.
CertiK, a blockchain security firm, claims that its researchers informed the HectorDAO team about the risk posed by the “addEligibleWallet” function, which was the root cause of the exploit. CertiK recommended steps to mitigate this risk, but the HectorDAO team chose not to implement the changes for unknown reasons. CertiK referred to its official audit report, which stated that any account with moderator privileges could call the function.
However, HectorDAO provides a different account of the story. The protocol claims that it engaged with CertiK for a thorough smart contract security analysis. Contrary to CertiK’s statement, HectorDAO asserts that “all assets were secured in a Redemption Vault prior to the launch of the production claim process.”
Blockchain analysis reveals that the attacker allegedly had access to the team’s deployer account, suggesting that the hack was either an inside job or the result of a compromised private key. The development team’s last known communication with investors occurred on January 18, after which they went silent.
The story of HectorDAO began in 2021 when early investors were given the opportunity to purchase the DAO’s token, HEC, at a discount through DAO bonds. The funds raised were placed in the DAO’s treasury, where each HEC token represented ownership of a portion of the treasury. These funds could be reinvested to generate yield for token holders. At its peak, the HectorDAO treasury held over $100 million in digital assets.
However, troubles arose during the crypto winter. By May 1, 2023, the price of HEC had collapsed by nearly 99%, and the HectorDAO treasury also suffered a decline in value. The situation worsened after the $1.5 billion Multichain bridge hack on July 6, 2023, which caused further losses for HectorDAO as some of its treasury assets depegged from their Ethereum collateral.
Following this incident, HectorDAO investors voted in July 2023 to liquidate the DAO and return its funds to users. However, by January 15, 2024, most of the $16 million held by the treasury had yet to be distributed to investors.
On January 15, the HectorDAO team attempted to distribute the treasury funds by moving them into a new contract. However, a malicious account immediately transferred $2.7 million worth of assets to itself after depositing only 0.0001 HEC. The team then shut down the redemption platform, and all remaining assets were moved back to the treasury contract. The redemption process has not been reopened since.
On January 18, the HectorDAO team announced that the redemption platform had been hacked, and approximately $2.7 million had been stolen. They claimed to be actively investigating the breach and postponed the redemption process.
Some tokenholders blamed the development team for the hack, alleging that it was the work of a rogue developer or a compromised private key. They argued that the team could no longer be trusted to secure the DAO’s funds.
A post-mortem report on the attack was released on January 19, citing data from Etherscan. It revealed that preparations for the attack began on December 16, 2023, when the HectorDAO deployer account sent 0.0001 HEC to the attacker. On January 15, a series of transactions were performed, moving the funds to different contracts. Ultimately, the attacker was able to obtain $2.7 million in USDC and complete the attack.
The HectorDAO website’s most recent update was on January 18, stating that the redemption process is currently postponed. HectorDAO investors are considering legal action as they have been unable to contact the protocol’s developers. Payments to compensate investors were originally scheduled for March. The investigation into the hack is ongoing.