The attack transaction:
The attack smart contract is an open source one.
Step 1: 0x054e sends a transaction to grant the admin role to 0x0eba of the wallet (0x41b8).
Then 0x0eba grants the “DAO contracts” role to 0x1c93.
At last, the 0x1c93 (XXX) invoke the function withdrawFromUser to transfer the money to the XXX contract.
Interesting, the victim 0x41b8 is created by 0x054e.
In summary, 0x054e creates the victim 0x41b8 wallet. Then 0x054e grants the admin role to 0x0eba, who further grants the “DAO Contracts” role to 0x1c93. At last 0x1c93 withdraws the money from the victim.