On March 6, 2023, the PeopleDAO community disclosed a devastating breach of its treasury stored on the Safe (formerly Gnosis Safe) multisig platform, resulting in the loss of approximately $120,000 worth of Ethereum. The attack exploited not a smart contract vulnerability, but rather a fundamental breakdown in operational security — a compromised Google Sheet used to manage community reward distributions.
The Exploit Mechanics
The attack vector was elegantly simple yet devastatingly effective. PeopleDAO maintained a Google Sheet to track monthly contributor rewards, with the accounting lead publishing a link to a Google Form on a Discord channel that was inadvertently left accessible to the public. This form was used to collect Ethereum wallet addresses from community members who had earned rewards for their contributions.
The attacker exploited this publicly accessible form by injecting their own wallet address into the spreadsheet, disguised in a hidden format that made it virtually invisible during casual review. The malicious address was allocated 76 ETH — approximately $120,000 at the time — cleverly embedded within the legitimate list of reward recipients.
When it came time to distribute rewards, the signers exported the data from the CSV file on the Safe platform and approved the batch transaction. Six out of nine multisig signers failed to detect the hidden malicious address, and the transaction was executed, transferring 76 ETH directly to the attacker’s wallet.
Affected Systems
The breach affected multiple interconnected systems within the PeopleDAO infrastructure. The primary target was the Safe Platform multisig wallet, specifically the Genesis Safe Proxy contract at address 0xdd38609. The attacker’s receiving address was 0x6e5cc01, and the exploit transaction was recorded on-chain at 0x4bd2f69 on the Ethereum mainnet.
Beyond the immediate financial loss, the attack compromised the integrity of PeopleDAO’s entire reward distribution system, affecting trust between the community and its contributors. The PeopleDAO contract at 0xfb8ab4d and the related ConstitutionDAO contract were both implicated in the broader security review that followed.
Bitcoin was trading at approximately $22,430 at the time, while Ethereum hovered around $1,567, underscoring the significant value of the 76 ETH stolen from the treasury.
The Mitigation Strategy
In the aftermath of the breach, PeopleDAO implemented several critical security improvements. Access to all accounting documents and forms was immediately restricted to authorized personnel only, with public-facing collection endpoints disabled entirely. The organization transitioned to a zero-trust policy for all treasury-related operations.
The team reported the incident to both the FBI and FTC for formal investigation and potential fund recovery. On-chain analysis revealed that the stolen funds were deposited into two major exchanges — HitBTC and Binance — which may aid in the recovery process through cooperation with law enforcement.
Additionally, PeopleDAO recommended that Safe improve its user interface to display the gross transaction value prominently, including the total amount of ETH and PEOPLE tokens being transmitted, making it easier for signers to spot anomalies before approving transactions.
Lessons Learned
The PeopleDAO incident serves as a stark reminder that the weakest link in any decentralized organization’s security chain is often not the smart contract code itself, but the human-operated processes surrounding it. Multi-signature wallets are only as secure as the diligence of their signers. When six out of nine signers approve a transaction containing a hidden address, the fundamental assumption of distributed trust is called into question.
The attack highlights the critical importance of separating data collection from transaction execution. Using the same publicly accessible spreadsheet for both collecting wallet addresses and generating batch payment transactions creates an obvious attack surface that any motivated adversary can exploit.
User Action Required
For DAOs and decentralized organizations managing community treasuries, this incident demands immediate operational security review. Implement strict access controls on all data collection tools, ensure that multisig signers independently verify every transaction detail before signing, and consider using dedicated treasury management platforms that provide clear visual summaries of all outgoing transfers. Always adhere to the principle of least privilege and maintain a zero-trust posture for all financial operations.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.
a google sheet for managing $120K in rewards. you cannot make this up. the opsec gap in DAOs is terrifying
a google sheet for 120k in rewards. this is why DAOs need actual financial ops tools not free SaaS products
a $120K treasury managed through a free google product. DAOs need to stop treating google workspace like enterprise financial infrastructure
76 ETH hidden in a spreadsheet with disguised formatting. attacker knew exactly what they were doing
disguised formatting in a public google sheet. low tech but devastating. state actors use the same technique in corporate espionage
sheet_ghost_ the hidden row trick is classic. seen it used in three other dao incidents. color text on white background, row height set to 0
public discord + public google form = attacker’s dream. least privilege is not a hard concept
^ this is why multisig means nothing if the humans operating it have terrible security practices
public discord channel + public google form = basic opsec failure. the attacker probably spent 10 minutes planning this
10 minutes of planning and 10 minutes of execution. the return on effort for social engineering DAOs is absurd right now