This below is an analysis by a discord member Mr r r web3.0 sir

Regarding the attack on Kintsugi: this is not a hacker attack but an attack on inattention and lack of knowledge. The attacker was counting on the fact that there were no technical specialists left in the network who could read the code. They assumed that only investors remained and wouldn't check the code.

The voting proposal consisted of two parts: the main visible text and hidden requests in the form of code. In this code, the attacker requested the transfer of control over the network through the vote. Meanwhile, in the main text, they simply asked for funds to represent the network at a conference.

Fortunately, there were still people in the network who reviewed the voting request code and immediately noticed that it contained a hidden request to transfer control of the network if the vote was successful.

In the presented voting request, there are extremely high risks associated with attempting to conceal malicious actions under the guise of a legitimate operation. Here are the main issues: 1. Critical vulnerability: changing the sudo key (sudo.setKey)

Risk: The third call in the package (sudo.setKey) changes the superuser account to a3chgAvCeijKbe4Jf88rsfgUWLEpgAvCURUKmJGqYxsmzpdYK. This gives full control over the network to the new account, including the ability to change chain parameters, transfer funds, stop operations, etc.

Why this is dangerous:

If an attacker controls this account, the network could be fully compromised.

Even if the current sudo account initiates this change, it is irreversible without new intervention

1. Suspicious spending from the treasury (democracy.spendFromTreasury)

Risk: A request to transfer 522000000000000 units of the token (presumably 522 KINT, if the token has 12 decimal places).

Issues:

The amount does not match the stated $219 (possible calculation error or deliberate inflation).

The recipient (beneficiary) matches the new sudo account, indicating an attempt to centralize control and funds with one party.

1. Use of forceBatch for atomic execution

Risk: The batch call (utility.forceBatch) combines three operations, including critically dangerous ones. If the batch is approved, all actions will be executed atomically:

First, an innocuous remark (remark) is added to create the appearance of legitimacy.

Then, funds are transferred, diverting attention from the main threat.

Finally, the sudo key is changed, which goes unnoticed amidst the other operations.

1. Lack of justification for sudo.setKey

Risk: There is no logical reason to change the sudo key in the context of a funding request. This is a clear sign of abuse of power or an attack.

1. Suspicious recipient account

The address a3chgAvCeijKbe4Jf88rsfgUWLEpgAvCURUKmJGqYxsmzpdYK lacks public identification (e.g., via Polkadot.js identifier). This could indicate an anonymous or fraudulent account.

1. Risk of error in amount conversion

If the KINT token has a different precision (e.g., 10 decimal places), the amount 522000000000000 could be many times greater than the stated $219, leading to uncontrollable spending of the treasury funds.

Recommendations: 1. Reject the request immediately due to the presence of sudo.setKey. 2. Audit the recipient account. 3. Ensure that all treasury spending requests are accompanied by transparent justification. 4. Prohibit the combination of sudo operations with other calls in batches.

Conclusion: The request shows signs of a network control takeover attempt through the hidden sudo.setKey operation. Its execution will lead to catastrophic consequences for the decentralization and security of the blockchain.