Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
Reproducible Foundry test fork from SunWeb3Sec/DeFiHackLabs. Clone the repo, run forge test against the file path above, and replay the exploit against a mainnet fork at the historical block. Use for reproduction only — not for live targets.
After spending nearly $40 million on a new set of Azuki NFTs, the Azuki community was outraged that they were "diluting" a near-replica of the original Azuki collection. To counter what Azuki’s creators called a “blatant scam,” holders who claim to have collectively spent millions of dollars on the Azuki project formed AzukiDAO. The DAO created a governance token, $BEAN, which is distributed to Azuki NFT owners. The DAO then began voting to hire lawyers to sue the creators of Azuki and demand a return of the 20,000 ETH (approximately $38 million) that the Elementals NFTs had spent in total. However, governance tokens were exploited shortly after the DAO was created. Attackers were able to exploit a flaw in the smart contract, and two exploiters stole approximately 35 ETH (approximately $69,000), mainly because the variable signatureClaimed in the contract was not checked properly, resulting in a replay attack. The DAO suspended the contract to prevent further theft. Attack method (per SlowMist): Replay Attack. Reported loss: $ 69,000.
- chain
- —
- protocol
- AzukiDao
- bug_class
- rug
- date_occurred
- 2023-07-03
- loss_usd
- $69,000
- source_id
- sm:azukidao::2023-07-03