Logo

Security in Action - A Real Hack, and How the DAO Took It Back

June 9, 2026
Security in Action - A Real Hack, and How the DAO Took It Back

Yesterday, the DAO voted on something more serious than a test.

One of our users was hacked. Their entire business - NFT and partner structure - was stolen. And yesterday, by community vote, it was returned to its rightful owner.

Many of you asked for the full story. Here it is, openly: what happened, how it was resolved, what it proves about how this protocol is built, and the new security layer we're adding because of it.

What happened

One of our participants had their wallet compromised. The attacker got access to the wallet's seed phrase - the master key to everything inside it.

Let's be precise about one thing: this was not a breach of the platform or the smart contracts. The protocol itself was never compromised. The attacker got into the user's wallet the old-fashioned way - by stealing the keys.

At that moment, the Business Sale function was temporarily enabled. We had activated it earlier as part of the DAO governance test, and announced it publicly. The attacker used that open window. With control of the compromised wallet, they triggered a business transfer and moved the victim's entire account - the NFT and the full partner-tree structure - to their own address.

A business built over months, gone in one transaction.

Before anything else - the most important thing

To understand how this was resolved, you first need to understand what could NOT happen.

The team has no access to your business. None.

We cannot move your NFT. We cannot touch your structure. We cannot freeze, seize, or transfer anything in your account. This is not a policy we could quietly change tomorrow - it is how the smart contracts are built, confirmed in the CertiK audit, and enforced by the blockchain itself.

This is what decentralization actually means. If we could reach into accounts and "fix" things on our own, your assets would only ever be as safe as our goodwill - and you would have to trust us the way you trust a bank. That is exactly the model this protocol was built to replace.

So when the hack happened, there was no admin button to press. There couldn't be. And that is by design.

How it was actually resolved

What there is, is the DAO.

The victim contacted support. Their upline leader - the person who originally brought them into the ecosystem - stood with them and confirmed the situation. The team verified the owner's identity and their exclusive control of a new, secure wallet. And then the only mechanism with the authority to act was set in motion: a community vote.

Two proposals went on-chain:

1. Disable Business Sale. The governance test phase was complete anyway, and the open transfer path was the exact surface the attacker used. The DAO voted to switch the function off protocol-wide. It stays off until a future vote decides otherwise.

2. Recover the stolen account. The DAO authorized migrating the stolen position - the NFT, the structure, everything attached to it - from the attacker's address to a new wallet controlled solely by the verified owner. Not back to the original wallet: that one is still compromised, and returning the business there would hand it straight back to the same attacker.

Both proposals passed. Both executed on-chain. The full proposal texts are public on the DAO page for anyone who wants every detail.

The result: the owner is back in business from a secure wallet. The attacker's address is left with nothing.

For the record, the DAO also holds the power to freeze a malicious account entirely. In this case it wasn't even needed - the migration itself stripped the attacker of every position they held.

What this proves

We planned a governance test to validate proposals, voting, and execution. What we got instead was a live incident that put the entire security model under real pressure.

The model held:

  • The team alone could do nothing - by design.

  • The community, through the DAO, could do everything needed - close the attack surface, strip the attacker, restore the owner.

That combination is the whole point. No single party - not the team, not any individual - can touch your assets. But the community, acting together through an open on-chain vote, can restore justice when something goes wrong.

Centralized platforms give you the second without the first. Most DeFi gives you the first without the second. This protocol has both.

What you should do right now

The protocol's defenses worked. But this incident started where most incidents start: with a compromised wallet. The strongest security layer is the one you set up yourself.

Three things, today:

1. Set your financial password. A separate password required for moving funds, independent from your login. If a scammer gets into your account without it, they hit a wall.

2. Enable every security layer the platform gives you. TAN codes for transactions, 2FA, and the official Telegram bot for action verification. Each layer is one more thing an attacker has to break.

3. Protect your seed phrase like it is the business itself. Because it is. Never type it into any website, never share it with anyone, never store it in cloud notes or screenshots.

If these layers are not set up, an attacker who gets inside can move fast. Every layer you enable slows them down or stops them completely.

New: the Secret Code

This case showed us where one more layer makes sense. So we're adding it.

Within the next week, we are rolling out the Secret Code - a new element of the account security system.

How it works:

  • When you generate your financial password, the system creates a Secret Code - one random word, shown to you once.

  • If you already have a financial password, your code will be shown to you as well.

  • Write it down and store it offline. Treat it the way you treat a seed phrase.

  • From then on, any security-sensitive request to support - resetting a financial password, recovery actions, anything in that category - will require you to name your Secret Code.

No code, no changes. Even if an attacker takes over your email or messages, they cannot impersonate you to support without that word.

Yesterday's vote did more than fix one account. It demonstrated - in production, with real stakes - that this protocol can protect its users without anyone holding centralized power over them.

The user who was attacked has their business back. The attacker walked away with nothing. The community made it happen - openly, on-chain, by vote.

Justice prevailed. That's the system working exactly as designed.