Hacker steals $117 million from BadgerDAO

BadgerDAO, a Decentralized Finance (DeFi) protocol operating on the Ethereum, Binance and Arbitrum chain, has fallen victim of a DeFi exploit by hackers as the protocol reports that it has noticed “unauthorized withdrawals” from its protocol.

According to reports from blockchain security and analytics company, PeckShield, over 2,063 BTC was taken. At Bitcoin’s current market price as of the time of this writing, this puts the total dollar figure of the exploit at $116.9 million. Due to the exploit, the protocol confirmed that the engineers have halted all smart contracts to prevent further withdrawals.

According to the official Twitter account of the protocol, “Badger has received reports of unauthorized withdrawals of user funds. As Badger engineers investigate this, all smart contracts have been paused to prevent further withdrawals. Our investigation is ongoing and we will release further information as soon as possible.”

What you should know

• The protocol initially reported $10 million being lost but reports from blockchain security and analytics company PeckShield put that number closer to $117 million, with over 2,063 bitcoins lost as it released a list of funds that were transferred out from victims’ wallets. One unlucky user lost 900 BTC according to PeckShield.
• Unlike many other hacks of DeFi protocols, this doesn’t appear to be an attack on the protocol itself, but rather the web interface connecting the protocol to the users’ wallets to the protocol.
• Reports from the BadgerDAO discord channel showed many users complained that when their wallets interacted with BadgerDAO they were hit with requests for additional permissions and then transferred tokens to wallets controlled by the hackers.
• In the last 24 hours, the native token of the protocol, BADGER, lost 23.90% so far from $27.02 at the start of the day to currently trade $20.56 as of the time of this writing.
• A Twitter user, going by the handle ‘napgener’ stated that the exploit had been going on for 12 days. He stated, “Badger.com front end/dns was hacked. User is sneaking in approvals in between legit deposit and reward transactions. He has been stealing funds for approx 12 days so far. Exploit is still live. short $BADGER to namek.”
• It’s also unclear, whether the affected users will be able to be compensated for losses by the DAO, or by insurance protocol Nexus Mutual, which offers insurance on BadgerDAO, currently at a rate of 2.6% annually.
• The insurers’ terms and conditions note that insurance covers only “contract bugs, economic attacks, including oracle failures [and] governance attacks,” and Nexus’ own governance that may determine the present exploit is outside the scope of coverage.

 

What they are saying

Badger developer Tritium wrote on Discord, “It looks like a bunch of users had approvals set for the exploit address allowing it to operate on their vault funds and that was exploited.”

According to Badger Core team member Mitche50, commenting on the BadgerDAO Discord’s “general” channel, “It looks like an API key for cloudflare was compromised. Through this, the hacker was able to create a script, inject the script into custom routes and serve the frontend with the malicious script injected.”

The Nexus team issued a statement in their Discord’s “claims-discussions” channel indicating that BadgerDAO cover holders may be out of luck in this case. It reads, “If this is confirmed as a frontend attack, BadgerDAO’s smart contracts were not impacted and this would not be a covered event. Frontend attacks are not covered per section 9 of the Protocol Cover wording.”

 

BadgerDAO launched its first launched yield-generating vaults based on wrapped bitcoin on Ethereum, in December 2020. The project quickly moved to community-based governance through the distribution of the BADGER token, which has been used to vote on over 70 improvements to the protocol since launch.

The DeFi ecosystem witnessed a lot of hacks. According to data from The Block, over $600 million have been stolen from DeFi projects as of November this year.

This exploit, according to data from The Block, will rank the second-highest, taking Compounds spot, in which $62 million was stolen. Cream Finance still holds the record of the most funds stolen with $130.8 million