According to Blockworks, Synthetify, a Solana-native decentralized exchange (DEX), experienced a governance failure that resulted in the loss of approximately $230,000 worth of cryptocurrency. An attacker exploited the protocol's decentralized autonomous organization (DAO) by creating and voting on their own proposals. Before other DAO members could notice the issue, the funds had already been sent to Tornado Cash.
Synthetify fell into debt following FTX's meltdown in late 2021 and announced plans to restructure in April. The attacker took advantage of the DAO's inactivity by creating ten identical-looking proposals and using their own tokens to reach the voting quorum. Nine of the proposals were empty, but the tenth contained code that sent around $230,000 in USDC, mSOL, and stSOL to the attacker's address, according to security auditing firm Neodyme. The DAO's treasury still holds $89,669.
This incident highlights the potential risks facing DAOs that attempt to prevent malicious actors. In the past, attackers have exploited DAO treasuries using flash loans, borrowing large amounts of governance tokens to pass harmful proposals. Serhii Kravchenko, COO of DAO infrastructure provider DeXe, suggested that DAOs should develop better notification systems for the proposal process and invest more in financial incentives to encourage member participation.
Solana co-founder Anatoly Yakovenko also commented on the issue, stating that DAOs should have veto councils that can prevent attacks caused by token voting. He emphasized the importance of paying council members to ensure they pay attention to potential threats. The Synthetify exploit serves as a reminder of the challenges and vulnerabilities that decentralized governance systems can face.