$1.58M Drained From Token of Power in Governance Exploit

$1.58 Million Drained From Token of Power – Governance Takeover Exposes Weak DeFi Voting Safeguards

Key Takeaways

An attacker exploited governance controls of Token of Power (TOP) and drained approximately $1.58 million.
The attacker gained over 50 percent of voting power and executed a malicious proposal in a single transaction.
10 billion TOP tokens were minted and swapped for 944.2 WETH in a Balancer V1 pool.
Funds were routed through Tornado Cash, complicating potential recovery efforts.
No losses were reported to Balancer’s core protocol.

Governance Takeover Enabled by Concentrated Voting Power

Blockchain security firms reported that Token of Power (TOP), a low capitalization token, suffered a governance exploit that resulted in losses of about $1.58 million. According to alerts published on June 9, 2026, the attacker acquired more than half of the token’s voting power before executing a malicious governance proposal.

The address used in the attack was funded through Tornado Cash. Due to TOP’s limited total supply of 16,384 tokens and its relatively low valuation, the attacker was able to accumulate more than 50 percent of the voting power. This majority stake enabled full control over governance decisions within the project’s Aragon DAO framework, which used the MiniMeToken standard.

With this voting majority, the attacker created, voted on, and executed a proposal within a single transaction. This proposal triggered the TokenManager contract to mint 10 billion new TOP tokens directly to a contract controlled by the attacker.

Minted Tokens Swapped for WETH on Balancer V1

After minting the new tokens, the attacker immediately exchanged them for 944.2 WETH in the TOP/WETH Balancer V1 liquidity pool. The transaction drained the pool’s liquidity, resulting in losses estimated at approximately $1.585 million.

Security monitoring account Cyvers Alerts flagged the suspicious transaction and identified the Tornado Cash funded address as the origin of the exploit. The stolen assets were subsequently routed back through Tornado Cash, a move that makes tracing and recovery more difficult.

Importantly, no losses were reported at the level of Balancer’s core protocol. The impact was limited to the specific liquidity pool that contained TOP and WETH.

Technical Structure of the Exploit

BlockSec Phalcon provided further technical details on how the exploit unfolded. The governance system was based on an Aragon DAO setup combined with the MiniMeToken model. Because governance power was directly tied to token holdings and the overall supply was small, accumulating a majority stake was feasible.

Once the attacker controlled more than half of the voting power, they were able to bypass effective resistance within the DAO. The governance framework allowed the same address to submit and execute a proposal without delay mechanisms that might otherwise have provided time for intervention.

The malicious proposal granted minting rights, enabling the creation of 10 billion new TOP tokens. These tokens had no pre existing market demand at that scale but were sufficient to extract liquidity from the Balancer V1 pool once swapped for WETH.

BlockSec Phalcon advised projects using similar Lido or Aragon governance implementations to review voting power distribution, quorum and pass thresholds, mint permissions, and other governance safeguards.

Part of a Broader Pattern of Governance Attacks in 2026

The exploit adds to what security observers describe as a pattern of governance attacks in 2026, particularly affecting smaller DeFi projects. Low liquidity, limited token supply, and governance parameters with low quorum or threshold requirements can make takeovers economically viable.

While larger protocols have implemented stronger defensive measures such as higher quorums and timelocks, smaller or emerging tokens may still rely on governance setups that allow rapid proposal execution once a majority stake is obtained.

In this case, the combination of concentrated voting power, minting permissions, and immediate execution enabled the attacker to convert governance control directly into extractable liquidity.

Implications for Token Holders and Liquidity Providers

For token holders and liquidity providers, the incident highlights the operational risks tied to governance design. When governance tokens have low circulating supply and limited distribution, a single actor can potentially gain majority control without triggering automatic safeguards.

Liquidity providers in unvetted pools face additional exposure. Once newly minted tokens were swapped into the TOP/WETH pool, available liquidity was effectively depleted. Although Balancer’s core infrastructure was not affected, participants in the specific pool absorbed the loss.

The use of Tornado Cash to fund the attacking address and to route stolen funds afterward further complicates response measures. Transactions processed through such mixers reduce traceability and can delay recovery efforts.

Our Assessment

The $1.58 million loss at Token of Power resulted from a governance takeover that allowed an attacker to mint 10 billion tokens and drain a Balancer V1 liquidity pool. The exploit was enabled by concentrated voting power, permissive governance parameters, and immediate execution rights within an Aragon DAO framework. According to security firms, similar setups should review voting thresholds, mint permissions, and distribution of governance power to reduce comparable risks. The incident forms part of a series of governance related exploits affecting smaller DeFi projects in 2026, while Balancer’s core protocol remained unaffected.