Attacker drains $1.58M from Token of Power pool via Aragon DAO governance exploit

An attacker has exploited a governance misconfiguration in the Token of Power (TOP) Aragon DAO.

They reportedly used majority voting power to mint tokens and drain roughly 944 WETH, which is worth around $1.58 million, from a Balancer V1 liquidity pool on Ethereum.

Various blockchain security firms flagged the incident, relying on the effective vector, which showed that TOP’s total token supply was just 16,384 tokens, and the attacker held slightly more than half of them.

How did the TOP token exploit work?

TOP is a MiniMeToken governed through Aragon’s voting infrastructure. According to Blockaid’s analysis, the attacker accumulated 8,192.000001 TOP, and this was more than enough to help them to clear the 50% threshold needed to pass governance proposals unilaterally. 

As a result of the Aragon Voting app on TOP’s DAO having no timelock, the attacker was able to create a proposal, vote it through, and execute it within a single transaction.

BlockSec Phalcon confirmed that the passed proposal minted a large quantity of new TOP tokens to the attacker’s address. The attacker then used those freshly minted tokens to drain the TOP/WETH Balancer V1 BPool, extracting 944.2 WETH.

It was noted that Balancer’s protocol was not itself vulnerable. The pool was simply the place where the attacker converted inflated TOP holdings into WETH.

How did the attacker move the funds?

The attacker’s wallet, 0xff8eF7bC455a57e5893232203052Ce0232b39Fa2, was funded through Tornado Cash. The exploit was executed in a single transaction through a dedicated contract, per Blockaid’s on-chain breakdown.

A textbook governance-takeover scenario

The root cause of the exploit was not a smart contract bug in the traditional sense. TOP’s token has a relatively small supply and low market capitalization, which made acquiring a controlling stake cheap.

When that was combined with Aragon’s voting configuration, which allows same-block proposal creation, voting, and execution, the attacker faced no major barrier between gaining majority power and draining funds.

Aragon’s own documentation on DAO security highlights access controls and the importance of restricting who can call sensitive functions on smart contracts.

In that same documentation, the organization stated that onchain functions are accessible by all by default and that authorized access “must be restricted to authorized addresses” when token minting or fund movements are involved.

However, TOP’s configuration did not enforce a timelock or quorum delay that could have given other token holders time to react.

What to watch

Neither the Token of Power team nor Aragon has issued any statement concerning the exploit as of publication. 

While the stolen WETH is still traceable onchain, the Tornado Cash funding of the attacker’s wallet complicates recovery prospects. The incident is a reminder that governance parameters (timelocks, quorum thresholds, proposal delays) are not optional safety features for low-supply tokens with meaningful treasury exposure.

The smartest crypto minds already read our newsletter. Want in? Join them.