MahaDAO Governance Security Incident - Analysis
As known earlier this week, it was discovered that the MahaDAO governance portal had been attacked.
Upon investigation, it was determined that an attacker had gained unauthorized access to smart contracts and had made several changes to that part of the system that allowed him to withdraw MAHA from that particular staking contract only and sell it on the open market. The attacker was also able to manipulate the Stability Pool to a limited extent.
The impact is fortunately minimal, and all funds are safe.
The governance portal is an innovative new attempt at creating a mix of staking, governance, and NFTs into a single ecosystem. Whilst most of MahaDAO smart contracts' ownership has been linked to the MAHA Governance, a few contracts were in progress to get migrated, including those that have been compromised in this incident.
We are already (ongoing) in the process of working with multiple audit firms to review our entire ecosystem and evaluating insurance providers to help us ensure the security and safety of entire ecosystem in the event of any such attacks in the future.
We have immediately taken thorough steps in consultation with our security partners to ensure that the issue does not arise again to continue operations as usual.
Migration of MAHA
The team quickly froze the MAHA token via an emergency multisig and removed any remaining DEX liquidity to prevent further damage. The attacker was able to exit only a small portion of the stolen funds because of this.
The team took a snapshot of all MAHA holders (except for the attacker’s wallet), issued a new token within 24 hours, and upgraded all core contracts to use the newly deployed MAHA.
The newly deployed MAHA token is hosted at: 0x745407c86df8db893011912d3ab28e68b62e49b0
The deployment is currently under audit and, once complete, will be used by the various exchanges to resume deposits/withdrawals for MAHA.
Post-Exploit
We are working with various forensic, fund-recovery teams and cyber-security authorities and have already collected significant information about the attacker. As their investigation continues, we will continue to share progress updates with the $MAHA holders.
We have made efforts to contact the attacker to request a partial refund of funds in exchange for a white hat bounty. The attacker’s wallet is 0xc27dd1c5398a22c8b36cd621c3346962ec7bbd39
All other products resume operations as they normally would, and we continue to work with more auditors and insurance providers to secure the security of the protocol further.
To Conclude
With the safe and quick execution of the recovery plan, MAHA now continues to move forward.
Thank you for your understanding and support as we resolved this issue. We apologize for any inconvenience caused and appreciate your patience. We will continue to keep you updated on our progress and any further developments.
FAQs
What will happen to my staked MAHA tokens?
Your staked MAHA tokens are fine and you won’t have to do anything. You can continue to interact with the governance portal as you normally would.
What are the measures that I need to take as a governance staker?
You don’t have to take any measures besides taking care of your wallets and NFTs.
What about the gas fees for the transactions required to migrate?
There are no gas fees, as the team has paid for the gas fees themselves by airdropping the new $MAHA tokens to you.
I have MAHA on exchanges. What should I do?
You don’t have to do anything, as we are already coordinating with the various exchanges to migrate the token to the new address. Once the migration is complete, they will resume deposits/withdrawals as usual, and you will be able to move your MAHA in and out of exchanges using the new address.
My MAHA is stuck in deposits on a CEX. What should I do?
We request that you raise a support ticket with the exchange. They usually have a dedicated support line to resolve such issues. If that does not yield any results, you can raise a ticket with us at support.mahadao.com, and we will attempt to get this resolved for you.
What about the MAHA Tokens I have in the wallets?
The old MAHA token has been frozen, and the new token has been airdropped into your wallet. Simply update your metamask or wallet to showcase the new token, and you should be able to use it as you normally would.
If we bought MAHA after the attack, will it get airdropped? After the attack, the token was immediately frozen, so anyone with a balance of MAHA on the ETH chain will automatically get the new token with them.
Why can’t I transfer my MAHA token? The old token is frozen. Simply add the new token into your wallet, and you should be able to transfer your MAHA back and forth again.
https://etherscan.io/token/0x745407c86df8db893011912d3ab28e68b62e49b0
At what ratio will the MAHA tokens be airdropped? The tokens are airdropped at a 1:1 ratio
What about the MAHA tokens stored in cold wallets? Cold wallets automatically get the new token. They don’t have to do anything else.
For MAHA-ARTH-LPs, how do we get airdropped? For LP, we will look to refund their position at the time of the attack, along with some extra incentives.
How will staked $ETH be returned? Also, airdropped or returned to the pool? Will that happen within 24 hours as well? They will be redeemable from the arth.loans portal.