Attackers walked away with roughly $1.58 million from the Token of Power ($TOP) token on June 9 after exploiting a governance vulnerability. The theft, first flagged by Cyvers Alerts on Twitter, drained a Balancer V1 liquidity pool and sent the stolen funds through Tornado Cash, making recovery nearly impossible. The incident is the latest in a string of governance attacks targeting smaller DeFi projects this year.
How the Attack Worked
The attacker funded a wallet through Tornado Cash and used it to acquire more than half of the total TOP supply — 16,384 tokens. That gave them over 50% of the voting power in the project’s Aragon DAO setup, which relied on the MiniMeToken standard. With control of the vote, the attacker created, passed, and executed a single malicious proposal in one transaction.
The proposal instructed the TokenManager contract to mint 10 billion new TOP tokens directly to the attacker’s contract. From there, the attacker swapped those freshly minted tokens for 944.2 WETH (roughly $1.585 million at the time) in the TOP/WETH Balancer V1 pool, effectively sucking out all its liquidity. Balancer’s core protocol wasn’t affected — only that particular pool.
Aftermath and Recovery
Once the funds were out, the attacker routed the WETH back through Tornado Cash, a mixing service that obscures transaction trails. That move all but guarantees the money won’t be recovered. Security firm BlockSec Phalcon published a detailed breakdown of the exploit and urged any project using similar Lido or Aragon governance setups to review three things: voting power distribution, quorum and pass thresholds, and mint permissions.
The project itself hasn’t issued a public statement on next steps. No losses hit Balancer’s broader ecosystem, and the protocol itself wasn’t compromised.
Broader Patterns in DeFi in 2026
The attack fits a growing pattern in 2026: governance exploits on smaller DeFi projects where low liquidity and lax parameter settings make them easy targets. Attackers don’t need complex code exploits — just enough token supply to push through a malicious vote. This one used the same basic mechanism seen in earlier Aragon-based attacks, though the specifics of the MiniMeToken manipulation gave it a twist.
BlockSec’s recommendations are straightforward, but many small teams lack the resources to perform the kind of thorough governance audit that might catch these holes. The question hanging over the space is whether the broader community will adopt stricter standards — or wait for the next exploit to make the point.
