Key Highlights
- Attackers gained over 50% voting power in TOP’s governance using a very small token supply.
- They used Aragon DAO to create, vote on, and execute a proposal in one transaction, minting 10 billion new TOP tokens.
- About 944.2 WETH (~$1.58M) was drained from a Balancer V1 liquidity pool after swapping the minted tokens.
Token of Power (TOP), a decentralized cryptocurrency on Ethereum, was reportedly exploited for about $1.58 million after an attacker took control of its governance system and used it to drain liquidity from a trading pool.
Blockchain security firm Blockaid flagged the incident and shared details on X. According to the firm, the attacker drained about 944.2 WETH from the TOP/WETH liquidity pool on Balancer V1, while the Balancer protocol itself was not affected.
The exploit was tied to an Aragon DAO misconfiguration, where governance rights were concentrated in a very small token supply of just 16,384 TOP.
How the attack happened
The attacker reportedly managed to collect 8,192.000001 TOP tokens, which is just over half of the total supply. That small edge mattered a lot. In this system, having more than 50% of votes means you can control decisions. Once that line was crossed, the attacker effectively became the decision-maker of the protocol. From there, everything moved very fast.
What makes this hack stand out is how quickly the governance system was used in one single move. The attacker used the Aragon voting system to create a proposal, vote on it, and execute it, all at once: Normally, systems should have delays between these steps. But in this case, there was no waiting time, no safety gap, and no pause for other users to react. Everything happened in one transaction.
Minting 10 billion new tokens
Once the proposal passed, it triggered a function called TokenManager. This function minted 10 billion new TOP tokens and sent them directly to the attacker’s contract. This is where the situation became serious.
The attacker then used the newly minted tokens to drain value from the liquidity pool. By swapping the unbacked TOP tokens for legitimate assets on Balancer V1, the attacker extracted approximately 944.2 WETH, worth about $1.585 million.
BlockSec Phalcon confirmed how the attack played out step by step. They also identified that the attacker’s wallet (0xff8e….b39Fa2) was funded through Tornado Cash, which is a platform that hides transactions and makes tracking funds much harder.
The exploit was carried out through a separate contract (0x25c6….729A21), and everything was completed in a single transaction.
Balancer not at fault, governance was
Blockaid confirmed that Balancer had no issue. The liquidity pool merely served as the venue where the attacker exchanged the newly minted tokens for assets with real market value.
In the end, this was not just a technical bug. It was a design weakness. The attacker did not “hack” the system in the traditional sense. They simply followed the rules that were already written, but used them in a way that caused damage. And that is what makes governance attacks so dangerous in DeFi today.
DeFi security concerns continue
The incident is part of a broader trend of governance attacks affecting smaller DeFi projects with limited token supplies and lower liquidity.
Similar incidents have been reported across multiple protocols this year, highlighting the risks associated with concentrated governance structures. Projects including Humanity Protocol and Stake DAO have also disclosed recent exploits involving token minting, administrative controls, and validation mechanisms.
No official statement from the Token of Power team or Aragon had been released at the time of reporting. The Crypto Times has reached out to the team for comments and is awaiting a response at this time.
Also Read: Three Breach Vectors, 447M Tokens: Humanity Protocol Details $H Exploit
