Web3 CFO's Hacks

PeopleDAO's Crypto Payroll Hacked for 76.5 ETH | Prevention Tips

Learn how PeopleDAO lost 76.5 ETH to a crypto payroll hack due to spreadsheet vulnerabilities. Discover how to prevent similar incidents with secure crypto payroll automation.

March 27, 2023

Many DAOs, and Web3 teams today manage their crypto payroll using Google Sheets. But this is a ticking time bomb, waiting to be exploited by hackers.

In this article, we’ll explain the dangers of using spreadsheets to manage crypto payroll, analyzing the case study of how PeopleDAO was hacked for 76.5 ETH.

We also highlight how Web3 CFOs, and DAO treasury managers can use Request Finance to secure and automate their crypto payroll processes in a non-custodial way, using multi-sig wallets like Gnosis Safe.

The dangers of using Google Sheets for crypto payroll

Many DAOs, and companies that manage their payroll in crypto rely on Google Sheets, or Excel. Spreadsheets and .csv files are also commonly used by many teams to manage airdrops, and other crypto payouts to whitelisted token sale investors, or DAO contributors.

At first glance, it seems like the natural thing to do. Google Sheets are cloud-based collaborative spreadsheets. This allows decentralized teams to collaboratively manage a contact book of DAO contributors, or employees and their crypto wallet addresses.

When the time comes to process crypto payroll payouts, or airdrops - DAO treasury managers, or finance and operations teams will copy and paste the wallet addresses from this spreadsheet, or upload a .csv file of wallet addresses into a multi-sig wallet like Gnosis Safe.

The quorum of authorized signers then approves the transaction, which triggers the payouts to the crypto wallet addresses.

But this process is incredibly vulnerable for three reasons:

Firstly, anyone with edit permission can inject malicious data into the Google Sheet, or .csv file. A hacker could simply edit the column containing the wallet addresses to insert a different wallet address. Alternatively, a hacker can simply add another row with their own wallet address to the Sheet. They could either fake the beneficiary data and hope that no one will notice, or simply hide the row.

Secondly, this injection of malicious data into a spreadsheet is also difficult to spot. Crypto wallet addresses are long hexadecimal strings that are difficult to distinguish visually. Furthermore, wallet addresses are pseudonymous, and not inherently tied to a human-readable name. 

Lastly, in cases where crypto teams rely on downloaded .csv files, or offline Excel spreadsheets to manage their crypto payroll, there is the added problem of version control. This makes corrupted data even harder to spot - whether as a result of a data breach, internal fraud, or mere negligence.

Managing crypto payroll via spreadsheets is a ticking time bomb for DAO treasury managers, and Web3 CFOs, waiting to be exploited by hackers.

In fact, that’s exactly what happened to PeopleDAO in March 2023. 

Learn how to scale your crypto company's spending with our all-in-one account

Your financial complexities are our specialties. Schedule your free consultation today and discover how Request Finance can transform your financial operations

We simplified crypto spending management

Rely on a secure, hassle-free process to manage your crypto invoices, expenses & payroll.

How PeopleDAO lost 76.5 ETH earmarked for payroll

PeopleDAO, a group formed to buy a copy of the U.S. Constitution had their Community Treasury on Gnosis Safe, drained of 76.5 ETH ($120,000) to a hack in March 2023. The hack targeted the DAO’s monthly contributor payout form on Google Sheets.

The DAO collects monthly contributor reward information via Google Sheets, which was mistakenly shared with edit access in a public Discord channel. The hacker gained edit access to the spreadsheet via the link.

After gaining the access, the hacker inserted a 76 ETH payment to himself in the sheet. To cover his tracks, the hacker set the row to be invisible (the missing 80th row below).

Because the malicious data injected into the spreadsheet was hidden, neither the team leads, nor the DAO’s multi-sig wallet signers were able to spot the corrupted data

The corrupted .csv file was downloaded from Google Sheets, and uploaded to their DAO’s Gnosis Safe walletvia the CSV Airdrop tool to disburse the crypto payouts.

Given the long list of wallet addresses to be paid, 6 out of 9 multisig signers did not notice the malicious transfer, signed and executed the transaction, sending 76 ETH to the hacker's address.

Look at the image below - would you have been able to spot the erroneous entry in time?

How to securely automate crypto payroll 

Processing payments like crypto payroll using spreadsheets creates an attack vector that allows malicious actors to inject themselves as beneficiaries. As the PeopleDAO hack showed - this can have devastating consequences for crypto treasuries.

But with the right tools like Request Finance, DAO treasury managers  and Web3 CFOs can securely automate their crypto payroll processing.

For starters, in Request Finance’s crypto payroll application, all employees’ billing information like names, roles, and wallet addresses are uploaded by an admin manager. This cannot be changed by other team members, or external parties whose roles do not grant them edit access.

Additionally, beneficiaries wallet addresses are stored in a contact database, and correlated to names, and email addresses. This makes it easy to identify duplicate entries, or non-existent team members. It would have been difficult to inject a bare wallet address, and if it were done, the anomaly would be spotted easily.

Also in the app, finance and operations teams must review and click the “approve” button for each payout claim - a crypto payroll, expense, or invoice. Only “approved” payment requests can be paid.

This enforces the practice of having teams to review each and every single claim item.



All approved payout claims are displayed in a human readable format. This makes it easy to review prior to being sent to a wallet for signing.

These are just some features in Request Finance that are designed to prevent phishing attacks that can compromise Web3 companies, and DAOs crypto payroll processes.

Concluding thoughts

When people talk about security in decentralized finance (DeFi), the spotlight is typically on more sophisticated attack vectors. These include smart contract vulnerabilities, corrupted oracles, bridges, or blockchain network security. 

But sometimes the simplest attack vectors can also be equally devastating. 

We’ve covered how even large companies like Amazon and Google have lost hundreds of millions of dollars to fake invoices - and how Request Finance helps prevent crypto invoice fraud

The PeopleDAO hack highlights how the common practice of using Excel spreadsheets, or Google Sheets to manage crypto payroll is a critical vulnerability for DAOs, and companies that pay their employees, contractors, and contributors in crypto.

However, with tools like Request Finance, DAO treasury managers, and Web3 CFOs can automate their crypto payroll processes without sacrificing good governance and data security.

Ivan

Content Lead

Crypto finance tips straight to your inbox

We'll email you 1/week with quality items to help you handle your crypto company's spending.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Master your crypto spend management now

Focus on what matters while relying on our safe & trustless process to manage your crypto spend management.

Request logo