Token of Power ($TOP) lost $1.58 million today in a governance exploit that drained a Balancer V1 pool, blockchain security firms reported. The attacker acquired over 50% of $TOP voting power due to the token's limited supply of 16,384 units, then minted 10 billion new tokens in a single malicious proposal executed through an Aragon DAO setup. The exploit adds to a pattern of governance attacks on low-cap DeFi projects in 2026, where minimal liquidity and lax parameters make takeovers affordable.
Attacker Minted 10 Billion Tokens Through Aragon DAO Proposal
An address funded through Tornado Cash acquired over 50% of $TOP voting power, holding more than half of the 16,384 total TOP supply. Using an Aragon DAO setup with MiniMeToken, the attacker created, voted on, and executed a malicious proposal in a single transaction. This triggered the TokenManager to mint 10 billion TOP directly to the attacker's contract. The newly created tokens were then swapped for 944.2 WETH (approximately $1.585 million) in the TOP/WETH Balancer V1 pool, depleting its liquidity. The stolen funds were routed back through Tornado Cash. No losses occurred to Balancer's core protocol.
BlockSec Phalcon Urged Reviews of Similar Governance Systems
BlockSec Phalcon detailed the mechanics and issued a warning: "Projects using similar Lido/Aragon governance implementations should carefully review their voting power distribution, quorum/pass thresholds, mint permissions, and related governance safeguards." Cyvers Alerts also reported the suspicious transaction involving the Tornado Cash-funded address that executed the malicious transaction draining funds from the TOP/WETH Balancer V1 Pool.
Exploit Highlights Ongoing Risks in Low-Cap DeFi Governance
This exploit adds to 2026's pattern of governance attacks on smaller DeFi projects, where low liquidity and lax parameters make takeovers affordable. While major protocols have strengthened defenses with timelocks and higher quorums, many emerging tokens remain exposed. Investors in low-cap tokens and liquidity providers should verify governance parameters, monitor large token accumulations, and avoid unvetted pools. Projects on similar stacks will likely face increased scrutiny and calls for upgrades.
FAQ
How did the attacker take control of Token of Power governance?
The attacker funded an address through Tornado Cash and acquired over 50% of $TOP voting power due to the token's limited supply of 16,384 units. Using an Aragon DAO setup with MiniMeToken, they created, voted on, and executed a malicious proposal in a single transaction, triggering the TokenManager to mint 10 billion TOP tokens directly to their contract.
What happened to the stolen funds from the Token of Power exploit?
The attacker swapped the newly minted 10 billion TOP tokens for 944.2 WETH (approximately $1.585 million) in the TOP/WETH Balancer V1 pool, then routed the stolen funds back through Tornado Cash. No losses occurred to Balancer's core protocol.
