An attacker exploited a governance misconfiguration in Token of Power's Aragon DAO on Tuesday, minting 10 billion TOP tokens and swapping a fraction of them for 944.2 WETH — worth roughly $1.58 million at current prices.
How the Attack Worked
The attacker targeted the Aragon DAO that governs Token of Power, a relatively obscure project. The misconfiguration allowed them to gain control over the DAO's governance mechanism, essentially taking over the protocol. Once in control, they minted 10 billion TOP tokens out of thin air, then exchanged a small portion of that inflated supply for Wrapped Ether on a decentralized exchange.
Blockaid's Assessment
Security firm Blockaid identified the incident as a governance-takeover attack. In such attacks, the attacker manipulates the voting or permission structure of a DAO to execute privileged actions — in this case, token minting. Blockaid did not name a specific vulnerability in the Aragon framework itself but pointed to a misconfiguration in how Token of Power set up its DAO.
What Happens to the Remaining Tokens
The attacker still holds the vast majority of the 10 billion minted TOP tokens. Those tokens currently have no market value — the project's liquidity pool was drained during the swap. It is unclear whether the attacker will attempt to offload them on another platform or simply abandon them. Token of Power's team has not issued a public statement as of press time.
Risks for Other DAOs
The attack highlights a recurring danger for projects built on Aragon: if the governance parameters are set too wide, a single malicious proposal can mint tokens, drain treasuries, or modify contract owners. DAOs using the framework should audit their permission roles carefully, though the specifics of Tuesday's exploit remain under investigation.
Whether the attacker can be traced through the blockchain transactions, or if any regulatory action will follow, remains an open question. For now, Token of Power's token holders are left with a supply that was inflated by a factor of billions and no clear next step from the project.
