Token of Power Hack 2026 — $11M Exploit Analysis

Flash loan governance attack drained $11M treasury through malicious proposal

Details

Full Description

On June 11, 2026, Token of Power suffered an $11 million governance attack. The attacker used a flash loan to temporarily acquire a majority of voting power in the DAO, then submitted and passed a malicious proposal to transfer the entire treasury to their control. The proposal executed automatically through the governance timelock, draining approximately $11 million in ETH and governance tokens. The attacker repaid the flash loan within the same transaction, leaving the protocol with no treasury and no way to reverse the action.

Laundering Analysis

The stolen treasury funds were immediately split across 20+ wallets. ETH portions were deposited into Tornado Cash and Railgun. Governance tokens were swapped for ETH through decentralized exchanges before mixing. The attacker demonstrated sophisticated knowledge of governance mechanics and flash loan infrastructure. No funds have been recovered.

Sources

Back to Browse