BadgerDAO has suffered a major attack, with losses estimated at over $120 million.
Key Takeaways
BadgerDAO has suffered a major frontend attack.
The hacker reportedly compromised Badger’s user interface by inserting a malicious script that prompted users to give the hacker permission to spend their funds.
Smart contract auditing firm Peckshield has estimated the value of the stolen funds to around $120 million.
BadgerDAO, a DeFi protocol for earning yield with tokenized Bitcoin on Ethereum, has fallen victim to an attack. The hacker reportedly added a malicious script to the protocol’s frontend website, prompting users to approve a smart contract transaction giving the script unlimited permission to drain funds from their wallets.
BadgerDAO Suffers Frontend Attack
BadgerDAO, a DeFi protocol with over 30,000 active users and $1.2 billion in total value locked, has been exploited.
The attack occurred early Wednesday. Soon after, many affected users reported suspicious outgoing transactions from their wallets.
It’s suspected that the attacker exploited the protocol’s frontend website rather than its smart contracts. The hacker allegedly inserted a malicious script on Badger’s website that presented users with a transaction to “increase allowance,” which gave the attacker unlimited permission to drain the funds users had deposited in the vaults if they approved the transaction.
BadgerDAO acknowledged the exploit earlier this morning. In a Twitter statement, the team confirmed that it had “received reports of unauthorized withdrawals of user funds.” The team has paused the project’s smart contracts and is currently investigating the issue.
Badger has received reports of unauthorized withdrawals of user funds.
As Badger engineers investigate this, all smart contracts have been paused to prevent further withdrawals.
Our investigation is ongoing and we will release further information as soon as possible.
— ₿adgerDAO 🦡 (@BadgerDAO) December 2, 2021
According to on-chain data, the exploiter contract was created on Nov. 20. It appears that the attacker waited until multiple users had approved the contract before beginning to drain the funds all at once this morning.
Commenting on the exploit on the project’s Discord server, Badger core contributor Tritium wrote:
“It looks like a bunch of users had approvals set for the exploit address allowing [the address] to operate on their vault funds and that was exploited.”
Smart contract auditing firm Peckshield has estimated the total losses come to around $120 million. One user reportedly lost nearly 900 Bitcoin, currently worth around $50.7 million, in a single transaction.
Some users reportedly became aware of the exploit as far back as five days ago and escalated the issue with BadgerDAO developers. The team, however, seems to have largely ignored the issue. A screenshot posted by the Twitter user DeFi Ahab shows that a Discord member going by the name fewture alerted the team to the “increase allowance” prompt, before Badger team member blackbear dismissed their concerns by saying it was most likely because “the UI got a bit bugged.”
Affected users have already created a Discord channel dedicated to tracking the hacker. The information posted suggests that the attacker made several transactions connected to the exploit that could be traced back to centralized exchanges with Know Your Customer (KYC) requirements. This would theoretically make the hacker easier to trace.
Judging by recent comments in the Discord channel, community members and Badger core contributors are confident that they’ve already identified the attacker. Peckshield also appears to support this theory, tweeting that “progress has been made,” around the same time information linked to the alleged hacker started appearing in the channel.
DeFi has been hit other similar attacks in recent months, but this specific type of exploit, where the attacker has compromised a project’s user interface rather than its smart contracts, has rarely been seen on this magnitude. At $120 million lost, it’s one of the biggest DeFi hacks to date.
The project’s native token, BADGER, has been hit hard by the incident. It’s down 17.5% today, trading at $22.05 at press time.
Disclaimer Read More Read Less
The information on or accessed through this website is obtained from independent sources we believe to be accurate and reliable, but Decentral Media, Inc. makes no representation or warranty as to the timeliness, completeness, or accuracy of any information on or accessed through this website. Decentral Media, Inc. is not an investment advisor. We do not give personalized investment advice or other financial advice. The information on this website is subject to change without notice. Some or all of the information on this website may become outdated, or it may be or become incomplete or inaccurate. We may, but are not obligated to, update any outdated, incomplete, or inaccurate information.
You should never make an investment decision on an ICO, IEO, or other investment based on the information on this website, and you should never interpret or otherwise rely on any of the information on this website as investment advice. We strongly recommend that you consult a licensed investment advisor or other qualified financial professional if you are seeking investment advice on an ICO, IEO, or other investment. We do not accept compensation in any form for analyzing or reporting on any ICO, IEO, cryptocurrency, currency, tokenized sales, securities, or commodities.