The Token of Power (TOP) protocol, a decentralized finance (DeFi) platform built on Ethereum, has been exploited for approximately $1.58 million after an attacker leveraged a governance misconfiguration in its Aragon DAO. According to multiple security firms, the incident highlights the dangers of poorly configured voting parameters for low-supply tokens.
Exploit mechanics The attacker accumulated just over half of the total TOP supply—8,192.000001 tokens out of 16,384—by acquiring the relatively cheap tokens on the open market. Because the DAO’s Aragon Voting app had no timelock, the attacker was able to create a malicious proposal, vote it through with majority control, and execute it within a single transaction. The proposal minted a large quantity of new TOP tokens to the attacker’s address, which were immediately used to drain a TOP/WETH liquidity pool on Balancer V1, extracting 944.2 WETH (roughly $1.58 million).
Laundering and tracing Blockchain forensics by PeckShield, Blockaid, and BlockSec revealed that the attacker’s wallet was initially funded through Tornado Cash. After obtaining the WETH, the funds were converted into ordinary ETH and funneled back through the mixing service, complicating recovery. Tornado Cash remains a favored tool for money laundering despite U.S. sanctions since 2022.
Implications The incident is not a smart contract bug in the traditional sense, but a governance take‑over due to a small token supply and the absence of essential safeguards such as timelocks, quorum delays, or proposal cooldowns. TOP holders who had liquidity in the Balancer pool face direct losses, and the protocol’s credibility has been severely damaged. Neither the Token of Power team nor Aragon has issued a public statement as of publication. Security experts warn that similar DAO configurations could be at risk, urging projects to enforce strict access controls and time‑delays on sensitive functions.
