Automated DeFi protocol Gelato Network is striking an apologetic tone after many community members were shut out of its token sale by someone who somehow managed to hack the system and buy about a third of the circulating supply for a huge profit.

The project had set aside US$3 million in tokens for “whales,” who could purchase from US$5,000 to US$20,000 GEL tokens, but would have to wait six months to claim most of it.

Another US$2 million was reserved for “dolphins,” who could buy between US$1,000 and $4,000 in GEL, but would get them immediately.

Those who wanted to participate in Tuesday’s token sale had to undergo know-your-customer (KYC) verification and have their Ethereum addresses whitelisted.

The whale pool sold out in five minutes and “everything went as planned,” but a small group launched a “coordinated snipe” on the dolphin pool, despite the KYC system.

“Since hundreds of individual transactions were clearly sent in bulk with the same gas price, there is hardly any doubt that some entities were in control of hundreds of KYC verified Dolphin addresses and ran a script to front-run everybody else,” Gelato said.

A look at Etherscan suggests that there were 510 wallets that managed to buy from the dolphin pool, and 270 of the transactions were for 1.17 Ether using a whopping gas fee of 0.521 Eth.

That individual or team managed to buy 305 Ethereum worth of the US$2 million dolphin pool – roughly half of it. They would have paid another 140 Ethereum (US$500,000) in gas.

Another 253 addresses bought 281 Ethereum from the dolphin pool in varying, less suspicious amounts.

About 2,638 users were shut out from the sale and had their transactions reverted – although they would be out Ether in gas fees.

“Unfortunately, it’s clear now that conventional KYC measures are no silver bullet against Sybil attacks and greedy individuals trying to work their way around these measures that were put in place to link one real participating address to one real participating human,” Gelato said.

It isn’t clear how the sniper was able to get ahold of so many different identities, as they all had to pass liveness “selfie checks,” uploading identity cards and a proof of residence, Gelato said.

“It could be that they literally paid hundreds of people to get themselves KYCed and then asked them to hand over control over their KYCed email accounts and Dolphin addresses to them,” Gelato wrote.

“It makes us really sad that so many good and honest community members were not able to participate in the Dolphin Pool because of this.”

The open letter stopped short of an apology, and some community members were still indignant.

The sniper, whomever he or she was was, likely made a killing on the token offering, despite paying half a million dollars in gas fees.

Coins were sold at US29c during the IEO and began trading on Wednesday at US$1.67.

They reached as much as US$2.70 yesterday and were changing hands at US$2.30 at 6pm AEST.

Assuming the sniper managed to buy roughly 3.5 million tokens — about a third of the circulating supply of 9.7 million, according to Coingecko — their haul would have a paper value of roughly US$8 million, and costs of about US$1.5 million.

The Gelato protocol lets users automate smart contract executions on Ethereum, allowing for such things as limit orders.