This morning a user got rugged while using the DataDAOFinance on #FTM. He was merely trying to mind an NFT and ended up losing all his account’s HODLings while approving the smart contract transaction. Moreover, the user informed this in the Peckshield Telegram group and asked people to remove their approvals if they have approved the contract before.
Further, the Twitter handle and Telegram channel of DataDAO has already been deleted. The said contract supposedly has a backdoor to steal user funds with approvals.ย
function withdrawDai() external onlyOwner { dai.transfer(_msgSender(), dai.balanceOf(address(this))); }
function withdrawMim() external onlyOwner { mim.transfer(_msgSender(), mim.balanceOf(address(this))); }
function withdrawUsdc() external onlyOwner { usdc.transfer(_msgSender(), usdc.balanceOf(address(this))); }
As we can see in the part of the contract above, onlyOwner function has withdrawal access to DAI, Mim, and USDC. Further, looking deeper into the contract; the contract creator can withdraw funds; however, only after a user approves the transaction. But, I think rarely do any of us read the entire contract before approving any transaction.
The contract address is 0x689E0205D21337CFEbBe0BeAbf33E1BaE2A1aE06
Users must allow smart contracts to use their assets in order to swap tokens, provide liquidity to liquidity pools, stake, or interact with farms. After being approved, the smart contract can use the specified amount of LP-tokens in accordance with its strategy. This holds true for regular tokens as well.
Users can quickly swap their tokens, such as USDC, to ETH and BTCB, and then directly deploy them in a liquidity pool using platforms like zapper.fi. Zapper will then ask for permission to spend either the specified amount of tokens or an unlimited amount of tokens, requiring only one approval. However, this entails some risks.
Accordingly, a user was trying to mint NFTs and the mint requires the user to approve the part contract. If you’ve approved DataDAO tokens/ contracts, revoke your approvals ASAP. The contract creator’s address is 0x364Fcd4B24d858246939D7E4891aDc8E44E9C00A, which clearly shows he’s taking the funds out to 0xDFf6135CFa21F0a5b6C7bd95a98210f1D168456d.