On March 11, 2023, PeopleDAO, the successor organization to the famous ConstitutionDAO, lost 76.5 ETH worth approximately $120,000 in one of the most embarrassing security breaches the decentralized governance space has seen. The attack did not involve sophisticated smart contract exploitation, zero-day vulnerabilities, or advanced cryptographic techniques. Instead, it relied on a publicly shared Google Sheets link and a hidden row in a spreadsheet. The incident serves as a stark reminder that the weakest link in any security chain is often the simplest one, and that DAOs must adopt operational security practices that match the sophistication of their financial operations.
The Threat Landscape
PeopleDAO’s accounting lead accidentally shared an editable link to the organization’s payment spreadsheet in a public Discord channel. An opportunistic attacker noticed the link, accessed the spreadsheet, and inserted a new row containing their own wallet address for a 76.5 ETH payment. They then hid the row so it would not be visible to other viewers of the spreadsheet. When team leads reviewed the spreadsheet to sign off on payments, they did not see the malicious row, and there was no rollup showing total payments or any other mechanism to catch the discrepancy. The transactions were uploaded to a CSV-based asset transfer tool, and the required six out of nine multisig members approved the transaction without noticing the anomaly.
This attack vector falls into a category that security professionals call operational security failures, distinct from technical vulnerabilities. The blockchain infrastructure, smart contracts, and multisig wallet all functioned exactly as designed. The failure was entirely human: inadequate access controls on operational documents, insufficient review processes, and a lack of automated validation checks.
Core Principles
Preventing spreadsheet-based attacks requires DAOs and organizations to adopt several core security principles that should be treated as non-negotiable. First, the principle of least privilege: no operational document containing financial information should ever be shared with edit access in a public channel. Read-only access should be the default for all non-essential personnel, and edit access should be restricted to a small, identified group of authorized operators.
Second, defense in depth: financial workflows should include multiple independent validation steps. The fact that six out of nine multisig signers approved the fraudulent transaction suggests that none of them independently verified the payment details against source records. Multisig approval should never be a rubber stamp. Each signer bears responsibility for verifying the legitimacy of the transaction they are approving.
Third, transparency and auditability: spreadsheets used for financial operations should include automatic rollup totals, protected cells, and audit trails that make any modification visible and traceable. Google Sheets and similar tools offer version history and change tracking features that should be enabled and regularly reviewed.
Tooling and Setup
DAOs managing significant treasuries should move beyond basic spreadsheets for financial operations. Purpose-built DAO treasury management tools offer features like proposal-based payment flows, automatic cross-referencing, and integration with on-chain governance. Open-source tools such as Snapshot for governance voting, Gnosis Safe for multisig operations, and specialized treasury dashboards can replace ad hoc spreadsheet workflows with auditable, tamper-resistant processes.
For organizations that must use spreadsheets, several practical measures can dramatically reduce risk. Enable protected ranges in Google Sheets to prevent unauthorized modifications. Use IMPORTRANGE functions to separate data entry from approval views. Implement conditional formatting that highlights any new rows or changes. Most importantly, create a summary sheet that automatically calculates total payments and flags any discrepancies against budgeted amounts.
Ongoing Vigilance
Security is not a one-time setup but an ongoing practice. PeopleDAO reported the theft to the FBI and FTC and is working with security researchers to track the stolen funds, but prevention would have been far less costly than recovery. Regular security audits should encompass not just smart contract code but also operational processes, access controls, and human workflows.
The timing of the PeopleDAO incident, occurring during the same weekend as the Silicon Valley Bank collapse and the USDC depeg, underscores how chaos creates opportunities for attackers. When teams are distracted by broader market events, operational security discipline tends to slip, making it exactly the moment when attackers are most likely to strike.
Final Takeaway
The PeopleDAO theft demonstrates that billions of dollars in blockchain security infrastructure can be rendered useless by a single shared spreadsheet link. As DAOs grow their treasuries and operational complexity, they must invest in operational security with the same rigor they apply to smart contract audits. The cost of a proper treasury management workflow is negligible compared to the cost of learning this lesson the hard way.
This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research before interacting with any DeFi protocol or DAO.
76.5 ETH stolen through a hidden spreadsheet row. this is the most 2023 crypto thing i have ever seen
hidden rows in sheets. let that sink in. millions of dollars managed in a tool where anyone with edit access can hide a row
google sheets for treasury management in 2023. what happened to multi sig. what happened to gnosis safe. literally any tool would be better
ConstitutionDAOs successor losing funds via Google Sheets is genuinely embarrassing. you raised millions on-chain and then manage treasury in Docs
raised millions with smart contracts and then managed payouts in google docs. the irony is painful
76.5 ETH stolen because someone shared an editable google sheet in a public discord. not a hack, just terrible opsec. DAOs need actual financial controls not shared spreadsheets
the hidden row trick is embarrassingly simple. no smart contract exploit needed when your treasury ops run on google sheets
constitutionDAO raised 47M then peopleDAO lost 120k to a spreadsheet. the irony is painful
76.5 ETH stolen and it wasnt even a hack in the traditional sense. just a shared spreadsheet with poor access controls