Third Party Developer Exploited

WeAreCultDAO
3 min readSep 14, 2023

Not a medium I ever wanted to write, but unfortunately due to a hack some of our third party developers suffered, their hackers were able to gain access to the Cult & RVLT Deployer.

It is worth noting that $CULT as a token & Cult DAO as a protocol is 100% immutable, autonomous & with all ownership functions renounced and as such is unaffected.

Similarly, TRG and its related contracts are safe, and ownership of the smart contracts has been transferred to a secure address.

However, as many in the community know, RVLT has had a lot of tweaks made in its governance and so the governance contract remained owned by the Cult DAO deployer.

The Cult DAO deployer wallet was created by 0xBlock originally in order to deploy the CULT DAO contracts, before being transferred to ourselves via secret key, it remained attached to 0xBlocks now exploited wallet, alongside other projects who and where they had deployed contracts for before.

As you can see by the below screenshots, a variety of projects have suffered due to this, as the exploit was not one of Cult or our ecosystem but was rather an exploit of some developers we have used in the past and as such has affected Astra DAO, TokenMetrics & many others who have also used 0xBlocks services in the past.

https://etherscan.io/address/0x6cd36b9459dfef332479d50bec129932285a1656

Unfortunately this includes some of our Modulus based builders, at present we believe just MODS (Modulus Domain Service).

In order to best support the ecosystem we had set up an incubation hub where projects who contacted us could receive access to our connections, KOLs & of course developers if needed. Not everybody needed all of that help but those who did take up our help on the development side of course may have been affected.

For the most basic of explanations. This was a planned attack as they deployed a new staked RVLT contract 3 hours before they began withdrawing funds.

https://polygonscan.com/tx/0x9bf7c3cc27aee5ff16b02db845f294e493cbc2ee168f0bdbaea3419e1acc85a0

The hackers gained access to 0xBlocks wallet (we are awaiting explanation from them on how) which held many deployers but with it, the deployer wallet for CULT and RVLT. All of CULTs contracts were fully renounced, so the only damage they could do was to dump 1% of all the TRG letters. 5 of which had 0 liquidity already.

Due to the governance contract for RVLT being upgradeable and owned by the CULT/RVLT deployer, the hacker was able to upgrade the RVLT staking contract & did so by upgrading the proxy to point to a new implementation, where they had added the “WithdrawAdmin” function, allowing them to withdraw all staked uRVLT which they then dumped into the liquidity extracting significant amounts of the Ethereum from the LP pool which was locked for 265 years.

We will be publishing a further medium once we know the full details of how 0xBlock were exploited, and once we reach out to the hacker to see if we can recover funds stolen. In the meantime you can be assured that $CULT as a protocol and DAO cannot ever be edited or changed.

We will strive to keep you as updated as possible.

--

--