DAOメイカー攻撃の分析

DAOメイカー攻撃の分析

攻撃分析

攻撃トランザクション:

0x26aa86261c834e837f6be93b2d589724ed5ae644bc8f4b8af2207e6bd70828f9

攻撃 スマートコントラクト はオープンソースです。

ステップ 1: 0x054e がトランザクションを送信し、ウォレット (0x41b8) の 0x0eba に管理者ロールを付与します。

次に、0x0eba が「DAO コントラクト」ロールを 0x1c93 に付与します。

最後に、0x1c93 (XXX) が withdrawFromUser 関数を呼び出し、XXX コントラクトに資金を転送します。

興味深いことに、被害者 0x41b8 は 0x054e によって作成されています。

まとめ

要約すると、0x054e は被害者 0x41b8 ウォレットを作成します。次に、0x054e が 0x0eba に管理者ロールを付与し、0x0eba が「DAO コントラクト」ロールを 0x1c93 に付与します。最後に、0x1c93 が被害者から資金を引き出します。

Sign up for the latest updates
Weekly Web3 Security Incident Roundup | Feb 9 – Feb 15, 2026

Weekly Web3 Security Incident Roundup | Feb 9 – Feb 15, 2026

During the week of February 9 to February 15, 2026, three blockchain security incidents were reported with total losses of ~$657K. All incidents occurred on the BNB Smart Chain and involved flawed business logic in DeFi token contracts. The primary causes included an unchecked balance withdrawal from an intermediary contract that allowed donation-based inflation of a liquidity addition targeted by a sandwich attack, a post-swap deflationary clawback that returned sold tokens to the caller while draining pool reserves to create a repeatable price-manipulation primitive, and a token transfer override that burned tokens directly from a Uniswap V2 pair's balance and force-synced reserves within the same transaction to artificially inflate the token price.

Top 10 "Awesome" Security Incidents in 2025

Top 10 "Awesome" Security Incidents in 2025

To help the community learn from what happened, BlockSec selected ten incidents that stood out most this year. These cases were chosen not only for the scale of loss, but also for the distinct techniques involved, the unexpected twists in execution, and the new or underexplored attack surfaces they revealed.

#10 Panoptic Incident: XOR Linearity Breaks the Position Fingerprint Scheme

#10 Panoptic Incident: XOR Linearity Breaks the Position Fingerprint Scheme

On August 29, 2025, Panoptic disclosed a Cantina bounty finding and confirmed that, with support from Cantina and Seal911, it executed a rescue operation on August 25 to secure roughly $400K in funds. The issue stemmed from a flaw in Panoptic’s position fingerprint calculation algorithm, which could have enabled incorrect position identification and downstream fund risk.