4 days ago
3468
An attacker has exploited a governance misconfiguration in the Token of Power (TOP) Aragon DAO.
They reportedly used majority voting power to mint tokens and drain roughly 944 WETH, which is worth around $1.58 million, from a Balancer V1 liquidity pool on Ethereum.
Various blockchain security firms flagged the incident, relying on the effective vector, which showed that TOPβs total token supply was just 16,384 tokens, and the attacker held slightly more than half of them.
How did the TOP token exploit work?
TOP is a MiniMeToken governed through Aragonβs voting infrastructure. According to Blockaidβs analysis, the attacker accumulated 8,192.000001 TOP, and this was more than enough to help them to clear the 50% threshold needed to pass governance proposals unilaterally.Β
As a result of the Aragon Voting app on TOPβs DAO having no timelock, the attacker was able to create a proposal, vote it through, and execute it within a single transaction.
BlockSec Phalcon confirmed that the passed proposal minted a large quantity of new TOP tokens to the attackerβs address. The attacker then used those freshly minted tokens to drain the TOP/WETH Balancer V1 BPool, extracting 944.2 WETH.
It was noted that Balancerβs protocol was not itself vulnerable. The pool was simply the place where the attacker converted inflated TOP holdings into WETH.
How did the attacker move the funds?
The attackerβs wallet, 0xff8eF7bC455a57e5893232203052Ce0232b39Fa2, was funded through Tornado Cash. The exploit was executed in a single transaction through a dedicated contract, per Blockaidβs on-chain breakdown.
A textbook governance-takeover scenario
The root cause of the exploit was not a smart contract bug in the traditional sense. TOPβs token has a relatively small supply and low market capitalization, which made acquiring a controlling stake cheap.
When that was combined with Aragonβs voting configuration, which allows same-block proposal creation, voting, and execution, the attacker faced no major barrier between gaining majority power and draining funds.
Aragonβs own documentation on DAO security highlights access controls and the importance of restricting who can call sensitive functions on smart contracts.
In that same documentation, the organization stated that onchain functions are accessible by all by default and that authorized access βmust be restricted to authorized addressesβ when token minting or fund movements are involved.
However, TOPβs configuration did not enforce a timelock or quorum delay that could have given other token holders time to react.
What to watch
Neither the Token of Power team nor Aragon has issued any statement concerning the exploit as of publication.Β
While the stolen WETH is still traceable onchain, the Tornado Cash funding of the attackerβs wallet complicates recovery prospects. The incident is a reminder that governance parameters (timelocks, quorum thresholds, proposal delays) are not optional safety features for low-supply tokens with meaningful treasury exposure.
The smartest crypto minds already read our newsletter. Want in? Join them.
![KOSPI Index Crash, South Korea Stock Market Bloodbath [LIVE] β 8th June](https://image.coinpedia.org/wp-content/uploads/2026/03/03183804/Korean-Stock-Market-Crash-KOSPI-Plunges-7-Amid-U.S.%E2%80%93Israel-Iran-War-1-1024x536.webp)
English (US)