Created to buy a copy of the US Constitution, PeopleDAO lost 76.5 ETH, about $120,000, due to a hacker accessing an unlocked form of payments to community members.

A combination of mistakes made by the financial service and project validators led to the possibility of stealing the funds of PeopleDAO community members. The accountant of PeopleDAO, when creating a register of payments to community members in Google Sheets, mistakenly did not close the payment document for editing by third-party users and posted a link to the payment form with administrative rights in a public channel on the project’s Discord server.

The hacker used edit access to the form to insert his crypto wallet address and a payment of 76.5 ETH. The attacker then made this payroll row in the Google spreadsheet hidden.

- Article Inline Advertisement 1-

During repeated checks, a hidden line in the form escaped the attention of the team. Moreover, it was not detected by the PeopleDAO validators, who performed follow-up procedures, validated and submitted the table to the Safe distribution tool.

As a result, the attacker’s wallet received a payment in the amount of 76.5 ethers. Subsequently, the hacker transferred 69.2 ETH to the HitBTC exchange and 7.3 ETH to Binance.

- Advertisement -

According to PeopleDAO, the project team offered the hacker a 10% reward for a refund. In addition, the team turned to blockchain security experts ZachXBT and SlowMist for help in finding traces of the hacker. Also, US law enforcement agencies and exchanges, which the attacker used to transfer funds, were notified about the theft of funds.

On Monday, March 13, security experts at BlockSec reported a hack on Ethereum blockchain-based DeFi lending platform Euler Finance that resulted in the loss of more than $200 million in crypto assets.