Verify a decision

{"actor":"system:backfill","investigation_id":"d9a83a1a-0442-43a1-8edc-2c14449f8825","kind":"publish","page_slug":"token-of-power-top","published_at":"2026-06-14T23:16:19.434Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Token of Power (TOP)","sections":[{"content":"On June 9, 2026, the Token of Power protocol suffered a governance-takeover exploit resulting in a loss of approximately $1.58 million. The attacker's wallet (0xff8eF7bC455a57e5893232203052Ce0232b39Fa2) was funded via Tornado Cash, with CertiK reporting the attacker withdrew approximately 662 ETH from Tornado Cash prior to the attack. The attacker used these funds to purchase 8,192.000001 TOP tokens from the Balancer V1 pool, representing just over 50% of the project's total 16,384-token supply. With majority voting control established, the attacker exploited the absence of any timelock in the Aragon DAO's voting contract to create, vote on, and execute a malicious governance proposal within a single on-chain transaction. The proposal triggered the DAO's TokenManager contract to mint 10 billion new TOP tokens directly to an attacker-controlled exploit contract (0x25c6...729A21). The attacker then swapped these newly minted tokens into the TOP/WETH Balancer V1 liquidity pool, draining 944.2 WETH valued at approximately $1.58 million. The stolen WETH was subsequently deposited back into Tornado Cash, complicating on-chain tracing. Security firm BlockSec Phalcon calculated that after accounting for the initial cost of acquiring the majority token position, the attacker netted approximately 281 WETH in profit. Balancer's core protocol was not itself vulnerable; the pool served solely as the venue through which inflated TOP tokens were exchanged for real WETH assets.","heading":"Governance-Takeover Exploit (June 9, 2026)","severity":"critical","sources":[{"credibility":2,"name":"Token of Power exploit drains $1.58M from Balancer pool - crypto.news","type":"news_article","url":"https://crypto.news/token-of-power-exploit-drains-1-58m-from-balancer-pool/"},{"credibility":2,"name":"Governance takeover lets attacker mint 10B TOP tokens in $1.5m exploit - AMBCrypto","type":"news_article","url":"https://ambcrypto.com/governance-takeover-lets-attacker-mint-10b-top-tokens-in-1-5m-exploit/"},{"credibility":2,"name":"One Vote, $1.58M Gone: TOP Token Hit by Alleged Governance Attack - CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/10/one-vote-1-58m-gone-top-token-hit-by-alleged-governance-attack/"},{"credibility":2,"name":"Attacker cleans out $1.6M from Token of Power (TOP) in Aragon DAO exploit - Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/token-of-power-top-aragon-dao-exploit/"},{"credibility":2,"name":"Token of Power Loses $1.58M in Governance Exploit as Attacker Hijacks Aragon DAO - Cryip","type":"news_article","url":"https://cryip.co/token-of-power-loses-1-58m-in-governance-exploit-as-attacker-hijacks-aragon-daoethereum/"}]},{"content":"Security researchers including Blockaid, BlockSec Phalcon, PeckShield, and Cyvers Alerts identified several compounding design failures that enabled the exploit. First, the project's original token supply of only 16,384 tokens made it trivially inexpensive for a well-capitalized attacker to acquire a decisive governance majority. Second, the Aragon Voting app deployed by the project had no timelock between proposal creation and execution, allowing the attacker to complete the entire governance cycle — create, vote, execute — within a single Ethereum transaction with no opportunity for defenders to intervene. Third, the TokenManager contract had no minting caps or independent controls to prevent governance from minting an essentially unlimited number of new tokens. Fourth, the MiniMeToken architecture used by the project, while standard for Aragon deployments, amplified all of these risks by making historical balances the basis for voting weight. Blockaid stated: 'The Aragon Voting app allowed create, vote, and execute in a single transaction with no timelock.' BlockSec Phalcon urged any project using similar governance implementations to review voting power distribution, quorum thresholds, and mint permissions. Post-exploit on-chain data showed the total TOP supply inflated to approximately 10 billion tokens, with a single wallet controlling 100% of that supply and a Gini coefficient of 0.9954, indicating extreme centralization.","heading":"Root Cause: Governance Design Failures","severity":"critical","sources":[{"credibility":2,"name":"Governance takeover lets attacker mint 10B TOP tokens in $1.5m exploit - AMBCrypto","type":"news_article","url":"https://ambcrypto.com/governance-takeover-lets-attacker-mint-10b-top-tokens-in-1-5m-exploit/"},{"credibility":2,"name":"Attacker cleans out $1.6M from Token of Power (TOP) in Aragon DAO exploit - Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/token-of-power-top-aragon-dao-exploit/"},{"credibility":2,"name":"$1.58 Million Vanishes in Minutes: How a Tiny Token's Governance Was Hijacked - Bitget News","type":"news_article","url":"https://www.bitget.com/amp/news/detail/12560605451711"}]},{"content":"Token of Power was launched on March 20, 2021 by an anonymous creator who described themselves as a financial engineer working at Lido Finance. The project was described as 'an art happening by the means of finance,' inspired by the Hashmasks NFT collection and Unisocks. The creator purchased a composite Hashmasks image — referred to as a 'Metamask' — for 5 ETH and fractionalized it into governance tokens (TOP), placing all tokens into a Balancer V1 liquidity pool. LP tokens from the pool were locked behind the DAO's voting mechanism, creating nested layers of governance and liquidity requirements. The project operated under the name 'The Mask of Power' with a website at maskofpower.art. The creator explicitly stated the project had 'no team,' framing participants as the organizing force. The token contract address is 0x0EBD5eC91680d3B0CEDbb1d5BB61851154D3eDb6 on Ethereum. As of June 10, 2026, 218 total token holders were recorded prior to the exploit, and the liquidity pool had been nearly fully drained by the attack. The project had not published any security audit of its governance configuration.","heading":"Project Background and Structure","severity":"high","sources":[{"credibility":2,"name":"The Story of the Mask Of Power - write.as/maskofpower","type":"official","url":"https://write.as/maskofpower/the-story-of-the-mask-of-power"},{"credibility":2,"name":"Token of Power Loses $1.58M in Governance Exploit as Attacker Hijacks Aragon DAO - Cryip","type":"news_article","url":"https://cryip.co/token-of-power-loses-1-58m-in-governance-exploit-as-attacker-hijacks-aragon-daoethereum/"},{"credibility":2,"name":"Token Of Power Pool Drained For $1.58M In Tornado Cash-Linked Transaction - CryptoAdventure","type":"news_article","url":"https://cryptoadventure.com/token-of-power-pool-drained-for-1-58m-in-tornado-cash-linked-transaction/"}]},{"content":"The attacker used the Ethereum privacy mixer Tornado Cash at both ends of the attack. Prior to the exploit, CertiK reported that the attacker withdrew approximately 662 ETH from Tornado Cash to fund the acquisition of the majority TOP token position. After draining 944.2 WETH from the Balancer pool, the stolen proceeds were deposited back into Tornado Cash to obscure the funds' on-chain trail. PeckShield was among the first security firms to issue a public alert identifying the Tornado Cash connection. The use of Tornado Cash at both stages of the operation is consistent with the pattern of a premeditated attack designed to minimize traceability. As of the time of reporting (June 10, 2026), no funds had been recovered and the attacker's identity remained unknown.","heading":"Fund Laundering via Tornado Cash","severity":"critical","sources":[{"credibility":2,"name":"Token Of Power Pool Drained For $1.58M In Tornado Cash-Linked Transaction - CryptoAdventure","type":"news_article","url":"https://cryptoadventure.com/token-of-power-pool-drained-for-1-58m-in-tornado-cash-linked-transaction/"},{"credibility":2,"name":"Governance takeover lets attacker mint 10B TOP tokens in $1.5m exploit - AMBCrypto","type":"news_article","url":"https://ambcrypto.com/governance-takeover-lets-attacker-mint-10b-top-tokens-in-1-5m-exploit/"},{"credibility":2,"name":"Attacker Steals $1.6 Million Worth of TOP Tokens in Aragon DAO Breach - Crypto Economy","type":"news_article","url":"https://crypto-economy.com/attacker-steals-1-6-million-worth-of-top-tokens-in-aragon-dao-breach/"}]},{"content":"As of June 10, 2026, neither the Token of Power project nor Aragon had issued any official statement regarding the exploit, recovery plans, or compensation for affected liquidity providers. The absence of a public team response is consistent with the project's self-described 'no team' structure, which may leave affected participants without a clear point of contact or accountability pathway. The token contract shows the total supply inflated to approximately 10 billion TOP tokens, with the attacker's contract holding virtually the entire supply. The Balancer V1 pool was rendered effectively worthless by the drain. No law enforcement referral, white-hat negotiations, or bug bounty framework was reported in connection with this incident.","heading":"Post-Exploit Status and Absence of Team Response","severity":"high","sources":[{"credibility":2,"name":"One Vote, $1.58M Gone: TOP Token Hit by Alleged Governance Attack - CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/10/one-vote-1-58m-gone-top-token-hit-by-alleged-governance-attack/"},{"credibility":2,"name":"Attacker cleans out $1.6M from Token of Power (TOP) in Aragon DAO exploit - Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/token-of-power-top-aragon-dao-exploit/"}]},{"content":"The following on-chain addresses are associated with the Token of Power exploit as reported by multiple security firms. Token contract (Ethereum): 0x0EBD5eC91680d3B0CEDbb1d5BB61851154D3eDb6. Attacker wallet: 0xff8eF7bC455a57e5893232203052Ce0232b39Fa2. Exploit contract: 0x25c6...729A21 (partial; full address not confirmed across all sources). These addresses were identified by Cyvers Alerts, PeckShield, BlockSec Phalcon, and Blockaid in their post-incident analyses.","heading":"On-Chain Identifiers","severity":"medium","sources":[{"credibility":2,"name":"Token of Power Loses $1.58M in Governance Exploit as Attacker Hijacks Aragon DAO - Cryip","type":"on_chain","url":"https://cryip.co/token-of-power-loses-1-58m-in-governance-exploit-as-attacker-hijacks-aragon-daoethereum/"},{"credibility":2,"name":"One Vote, $1.58M Gone: TOP Token Hit by Alleged Governance Attack - CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/10/one-vote-1-58m-gone-top-token-hit-by-alleged-governance-attack/"}]}],"sources_used":[{"credibility":2,"name":"Token of Power exploit drains $1.58M from Balancer pool - crypto.news","type":"news_article","url":"https://crypto.news/token-of-power-exploit-drains-1-58m-from-balancer-pool/"},{"credibility":2,"name":"Governance takeover lets attacker mint 10B TOP tokens in $1.5m exploit - AMBCrypto","type":"news_article","url":"https://ambcrypto.com/governance-takeover-lets-attacker-mint-10b-top-tokens-in-1-5m-exploit/"},{"credibility":2,"name":"One Vote, $1.58M Gone: TOP Token Hit by Alleged Governance Attack - CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/10/one-vote-1-58m-gone-top-token-hit-by-alleged-governance-attack/"},{"credibility":2,"name":"Token of Power Loses $1.58M in Governance Exploit as Attacker Hijacks Aragon DAO - Cryip","type":"news_article","url":"https://cryip.co/token-of-power-loses-1-58m-in-governance-exploit-as-attacker-hijacks-aragon-daoethereum/"},{"credibility":2,"name":"Attacker cleans out $1.6M from Token of Power (TOP) in Aragon DAO exploit - Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/token-of-power-top-aragon-dao-exploit/"},{"credibility":2,"name":"Token Of Power Pool Drained For $1.58M In Tornado Cash-Linked Transaction - CryptoAdventure","type":"news_article","url":"https://cryptoadventure.com/token-of-power-pool-drained-for-1-58m-in-tornado-cash-linked-transaction/"},{"credibility":2,"name":"Attacker Steals $1.6 Million Worth of TOP Tokens in Aragon DAO Breach - Crypto Economy","type":"news_article","url":"https://crypto-economy.com/attacker-steals-1-6-million-worth-of-top-tokens-in-aragon-dao-breach/"},{"credibility":2,"name":"$1.58 Million Vanishes in Minutes: How a Tiny Token's Governance Was Hijacked - Bitget News","type":"news_article","url":"https://www.bitget.com/amp/news/detail/12560605451711"},{"credibility":2,"name":"The Story of the Mask Of Power - write.as/maskofpower","type":"official","url":"https://write.as/maskofpower/the-story-of-the-mask-of-power"}],"summary":"Token of Power (TOP) is an Ethereum-based ERC-20 governance token created in March 2021 as a financial art experiment built around fractionalized ownership of a MetaMask-themed NFT, with liquidity and governance managed through a Balancer V1 pool and an Aragon DAO. On June 9, 2026, the project suffered a catastrophic governance-takeover exploit in which an attacker acquired a majority of the token's 16,384-token supply, used the Aragon DAO's absence of timelock protections to create, vote on, and execute a malicious proposal in a single transaction, minted 10 billion new TOP tokens, and drained 944.2 WETH (approximately $1.58 million) from the Balancer V1 liquidity pool. Stolen funds were laundered through Tornado Cash and no official project response had been issued as of June 10, 2026.","timeline":[{"date":"2021-03-20","event":"Token of Power (TOP) launched by an anonymous creator. The Mask of Power DAO was established with a Balancer V1 TOP/WETH pool and an Aragon DAO governance structure. Total supply set to 16,384 TOP tokens.","source":"The Story of the Mask Of Power - write.as/maskofpower","source_url":"https://write.as/maskofpower/the-story-of-the-mask-of-power"},{"date":"2026-06-09","event":"Attacker withdraws approximately 662 ETH from Tornado Cash to fund the attack, then acquires 8,192.000001 TOP tokens from the Balancer V1 pool, securing just over 50% of the total supply and majority governance control.","source":"Governance takeover lets attacker mint 10B TOP tokens in $1.5m exploit - AMBCrypto","source_url":"https://ambcrypto.com/governance-takeover-lets-attacker-mint-10b-top-tokens-in-1-5m-exploit/"},{"date":"2026-06-09","event":"Attacker executes a single-transaction Aragon DAO governance proposal with no timelock, triggering the TokenManager to mint 10 billion new TOP tokens to the attacker's exploit contract. Attacker swaps minted tokens into the Balancer V1 pool, draining 944.2 WETH (~$1.58 million). Stolen funds routed through Tornado Cash.","source":"Token of Power exploit drains $1.58M from Balancer pool - crypto.news","source_url":"https://crypto.news/token-of-power-exploit-drains-1-58m-from-balancer-pool/"},{"date":"2026-06-09","event":"Security firms Cyvers Alerts, PeckShield, Blockaid, and BlockSec Phalcon publish on-chain alerts and analyses identifying the attacker wallet, exploit mechanism, and Tornado Cash funding trail.","source":"Attacker cleans out $1.6M from Token of Power (TOP) in Aragon DAO exploit - Cryptopolitan","source_url":"https://www.cryptopolitan.com/token-of-power-top-aragon-dao-exploit/"},{"date":"2026-06-10","event":"Multiple crypto news outlets publish full incident reports. No official statement issued by the Token of Power project or Aragon. Funds remain unrecovered. Post-exploit total supply stands at approximately 10 billion TOP with a single wallet holding virtually all tokens.","source":"One Vote, $1.58M Gone: TOP Token Hit by Alleged Governance Attack - CryptoTimes","source_url":"https://www.cryptotimes.io/2026/06/10/one-vote-1-58m-gone-top-token-hit-by-alleged-governance-attack/"}]},"v":1}