DeFi investors are waking up to a brutal reminder that “decentralized governance” is only as strong as its weakest configuration, as the Token of Power (TOP) protocol was effectively emptied in a daring governance takeover on June 9, 2026. In a single, calculated transaction, an attacker weaponized a majority stake in the project’s low-supply token to mint 10 billion new units out of thin air, draining approximately $1.58 million in Ethereum (WETH) from the protocol’s primary liquidity pool.
By Priya Sharma | June 10, 2026
The Incident
The “Mask of Power” — the atmospheric name for Token of Power’s governance DAO — proved to be a hollow shell yesterday as an unknown actor executed a textbook “governance-as-an-attack-vector” heist. Unlike traditional hacks that rely on complex code vulnerabilities, this incident was a pure exercise in market mechanics and administrative oversight. The attacker spent roughly 662 WETH to quietly accumulate over 8,192 TOP tokens on the open market. Because the total supply of the protocol was a mere 16,384 tokens, this purchase pushed the attacker just past the 50% voting threshold required to pass any proposal they desired.
Once in control, the attacker didn’t wait. They submitted a proposal to mint 10 billion new TOP tokens directly to their own wallet. Because the protocol’s governance system lacked a timelock — a standard safety feature that forces a delay between a vote and its execution — the attacker was able to create the proposal, vote “yes” with their majority stake, and execute the minting command in the very same block. With billions of unbacked tokens now in hand, the exploiter immediately swapped them for 944.2 WETH in a Balancer liquidity pool, leaving regular investors holding a mountain of worthless digital paper.
Technical Post-Mortem
To understand how this happened, we have to look at the “vending machine” logic of the Aragon DAO framework used by the project. In a healthy DeFi protocol, a timelock acts like a “cooling-off period.” If someone proposes a radical change, the community usually has two to seven days to see it coming and withdraw their funds if they disagree. The Token of Power team, however, had misconfigured their Aragon Voting app with a zero-second delay.
This oversight turned the governance system into a weapon. By calling the `TokenManager` contract’s minting function, the attacker bypassed the usual scarcity of the token. It is a stark reminder for retail investors: if a project has a “low float” (meaning very few tokens are actually in circulation), it is far easier for a “whale” or a malicious actor to buy up a majority of the voting power. In this case, the attacker’s net profit was roughly 282 WETH (about $463,000 at current prices) after accounting for the initial cost of buying the tokens. While $1.5 million is a smaller figure compared to the $36 million Humanity Protocol exploit seen earlier this week, the method is arguably more terrifying because the protocol performed exactly as it was programmed to do.
Governance Impact
The immediate fallout for the “Mask of Power” DAO has been total paralysis. The project’s Discord and social channels have been flooded with angry investors, but the hard truth is that the DAO worked as designed — it simply followed the will of the majority token holder. This highlights a growing crisis in DeFi governance: the “one token, one vote” model is increasingly vulnerable to hostile takeovers when token prices are low or supply is concentrated.
Security firms including PeckShield and Blockaid have noted that the attacker’s wallet was initially funded via Tornado Cash, a privacy tool that obscures the source of funds. Following the theft, the stolen 944.2 WETH was promptly sent back into the mixer, making recovery of the funds nearly impossible. For the remaining TOP token holders, the “governance” they thought protected them actually facilitated their losses, as the massive dilution from 10 billion new tokens has effectively destroyed any remaining market value for the original 16,384 tokens.
TVL Shifts
The impact on Total Value Locked (TVL) was swift and surgical. Before the attack, the TOP/WETH pool on Balancer was the primary source of liquidity for the project. By swapping 10 billion tokens into a pool that only held a few hundred Ethereum, the attacker “slipped” the price so severely that the pool was drained of almost every available WETH. For a regular investor, this means that even if you still hold your tokens, there is no longer a “store” (liquidity pool) willing to buy them back from you at a fair price.
- Total WETH Drained: 944.2 WETH
- Ethereum Price Today: $1,643
- Estimated Loss: $1.58 Million
- Protocol Status: Liquidity depleted; governance compromised
We are seeing a broader trend this week where capital is fleeing “experimental” DeFi protocols in favor of established giants with battle-tested timelocks and multi-signature security. The Humanity Protocol hack and this Token of Power coup have combined to create a “risk-off” environment, with investors pulling millions from smaller Layer 2 projects and moving them back to Ethereum mainnet or stablecoins.
Long-Term Prognosis
Is there a future for the Token of Power? It seems unlikely without a complete “hard fork” or a restart of the entire ecosystem. For the broader DeFi market, however, this is a pivotal teaching moment. If you are investing in a protocol that uses governance tokens, you must check for two things: supply distribution and timelocks. If a project has a “low-float” supply where a single person can buy 50% of the votes for a few hundred thousand dollars, your investment is at the mercy of that person’s whims.
Expect to see a new wave of governance standards emerging in the wake of this “June Reckoning.” Experts are already calling for “Optimistic Governance,” where proposals are automatically delayed by several days to allow for security reviews. For now, the 1.5 million dollar lesson is clear: in the world of DeFi, power doesn’t just come from the code — it comes from who holds the keys to the vote. If you aren’t checking the timelock, you’re essentially handing your wallet to whoever decides to buy the most tokens today.
The cryptocurrency market remains highly volatile. This article is for informational purposes only and does not constitute financial advice.
zero second timelock on a dao with 16k total supply. this wasnt a hack it was an invitation
16k supply and zero timelock is basically a bug bounty with the wrong payout structure. feel bad for anyone who aped into TOP thinking the dao meant anything
Spent 662 WETH to make 944 WETH. Clean 282 ETH profit for exploiting a misconfigured Aragon app. Hard to believe nobody audited this before launch.
^ the scary part is how many other small-cap DAOs are running the exact same Aragon config right now
282 ETH profit for spending an afternoon reading aragon docs. insane roi on literally just reading the config
10 billion tokens minted in a single block. If your governance has no delay and no supply cap, you do not have governance. You have a vending machine.
vending machine is exactly right lmao. and the worst part is the team will probably call it a learning experience in their post-mortem