Cryptocurrencies, NFTs, and the metaverse have been hotly debated for a few months now. Will all of this new technology completely change our lives in the near future? What will life with a metaverse even look like?
Some crypto investors in Wyoming seem to think this is the way forward.
A decentralized autonomous organization (DAO) known as CityDAO purchased 40 acres of land in northwestern Wyoming in 2021 with the goal of building an entire city based on Ethereum blockchain.
While some might think this to be a brilliant, forward-looking idea to build a blockchain city, there are a lot of potential vulnerabilities and challenges to successfully implementing something like this.
CityDAO recently announced through Twitter that its Discord server had been compromised and some members' funds were stolen. The attacker worked by compromising the Discord account of one moderator.
What is CityDAO?
In July of 2021, the State of Wyoming passed a law legally recognizing DAOs as long as they are registered as companies in the state. DAOs are blockchain-based entities with no central leadership where members vote on the group's direction and other decisions with tokens based on a specific set of rules enforced on blockchain.
CityDAO is the first DAO to actually own land and aspires to be a city collectively governed through blockchain. The group offers citizenship through the purchase of a "land NFT" that represents ownership of real land, which anyone can purchase for 0.25 ETH, and includes access to voting rights and the group's Discord channel.
Through Discord, CityDAO hosts a community, makes announcements, answers questions, and issues alerts for "land drops," which are opportunities for people to buy land NFTs (non-fungible tokens).
CityDAO scammed through Discord
The CityDAO moderator whose account was compromised, known by username Lyons800, detailed the entire experience through Twitter, sharing what they believe to be the exact route of exploit.
The Twitter thread reads as follows:
"The scammer mocked up a conversation between another user in a different server with my username, claiming that I was scamming users in their server or possibly my account was compromised and they had banned me.
Upon first seeing the message I immediately went to this server to verify who the mod was claiming to be and the username was an exact match as well as the unique identifier. (later realizing that it was created using non-ascii chars and looked the exact same)
I explained that obviously someone had created an account using non-ascii characters to impersonate me and that i could verify that wasn't me. I suggested a voice call as well as sending messages to that user from my account to prove it was not the same regex.
I got on a voice call with this user (whom I verified multiple times was the same user as the mod in the server I had been banned from) and spoke with him about the attack and what may have happened.
The exploiter asked me to verify that I was not masking my IP or identity in anyway and to inspect the console. I thought that even if this was a fake call, there was little issue inspecting elements in Discord to prove my identity.
I am still not fully familiar with the access this token gives but we are taking it that the attacker had full Discord access.
Once the attacker had access, the next step of the scam was to exploit the CityDAO and BaconDAO server.
The scammer did so by using my user, webhooks, and the Discord server booster role. The Discord server booster role is a non-revokeable role, once a user boosts the server, this role cannot be removed unless the user is banned.
Next the scammer used my ID to assign core-team roles to other scammer IDs in the server and also changed permissions of the server booster role to be able to manage webhooks. By doing this the scammers could actively create and use webhook info in the server.
Using multiple Discord server booster roles, the scammer(s) created multiple webhooks allowing them to post announcements into channels with what looked like a bot to other members. These messages came from a fake bot and contained a malicious link to mint NFTs.
In these links, a website contained information on the fake mint and a wallet address to send funds to. To the best of my knowledge there was no wallet interaction so users only performed a transfer function so only the money they sent is lost.
The scammer(s) also posted using my Discord ID to with the links and assigned core team roles to a fake @scottfits (with different regex) to make it look more legit.
As we removed the links and webhooks, multiple server booster scam users created new ones and continued to post the links and scams.
We timed-out my user and revoked all server boosted & normal user permissions which put a stop to the exploit and scam.
My Discord was still compromised so I transferred all server ownerships, emptied http://Tip.cc Wallets and then disabled my account until we can explore this more."
Within one day of the compromise, the attacker had scammed members of CityDAO out of 29.67 ETH (approximately $92,514 as of publishing) and has continued to receive funds after.
Blockchain city not a good idea?
Motherboard reports that in the last three days, the scammer transferred 20 ETH to the Tornado.Cash tumbler and 11.6 ETH to another address. 14 ETH remain in the wallet, but it's unclear if all of the funds are from CityDAO members.
Motherboard also comments on the viability of a blockchain city, along with the Discord issues:
"The ease with which funds were stolen and a community duped—most of the ETH transfers happened in the space of one hour—suggests that building a city on the blockchain might not be the wisest endeavor if you're also using a gaming chat application to do everything.
As Lyons points out, Discord seems to be the weakest link here as the breach used a ridiculous exploit that bypassed two factor authentication and his password. And yet, DAOs and NFT projects of all sorts rely on Discord as a way to reliably connect community members, announce updates, organize marketing campaigns, and vote on new proposals for their projects."
@Lyons_800 concludes the detailed Twitter thread by reminding everyone to be extremely cautious when clicking on links in servers and connecting wallets to applications. They also note that Discord "is incredibly insecure and multiple exploits like this have happened across different servers."
See the original story from Motherboard for more information.
