Key Takeaways
- BadgerDAO has suffered a major frontend attack.
- The hacker reportedly compromised Badger’s user interface by inserting a malicious script that prompted users to give the hacker permission to spend their funds.
- Smart contract auditing firm Peckshield has estimated the value of the stolen funds to around $120 million.
Share this article
BadgerDAO, a DeFi protocol for earning yield with tokenized Bitcoin on Ethereum, has fallen victim to an attack. The hacker reportedly added a malicious script to the protocol’s frontend website, prompting users to approve a smart contract transaction giving the script unlimited permission to drain funds from their wallets.
BadgerDAO Suffers Frontend Attack
BadgerDAO, a DeFi protocol with over 30,000 active users and $1.2 billion in total value locked, has been exploited.
The attack occurred early Wednesday. Soon after, many affected users reported suspicious outgoing transactions from their wallets.
It’s suspected that the attacker exploited the protocol’s frontend website rather than its smart contracts. The hacker allegedly inserted a malicious script on Badger’s website that presented users with a transaction to “increase allowance,” which gave the attacker unlimited permission to drain the funds users had deposited in the vaults if they approved the transaction.
BadgerDAO acknowledged the exploit earlier this morning. In a Twitter statement, the team confirmed that it had “received reports of unauthorized withdrawals of user funds.” The team has paused the project’s smart contracts and is currently investigating the issue.
Badger has received reports of unauthorized withdrawals of user funds.
As Badger engineers investigate this, all smart contracts have been paused to prevent further withdrawals.
Our investigation is ongoing and we will release further information as soon as possible.
— ₿adgerDAO 🦡 (@BadgerDAO) December 2, 2021
According to on-chain data, the exploiter contract was created on Nov. 20. It appears that the attacker waited until multiple users had approved the contract before beginning to drain the funds all at once this morning.
Commenting on the exploit on the project’s Discord server, Badger core contributor Tritium wrote:
“It looks like a bunch of users had approvals set for the exploit address allowing [the address] to operate on their vault funds and that was exploited.”
Smart contract auditing firm Peckshield has estimated the total losses come to around $120 million. One user reportedly lost nearly 900 Bitcoin, currently worth around $50.7 million, in a single transaction.
Some users reportedly became aware of the exploit as far back as five days ago and escalated the issue with BadgerDAO developers. The team, however, seems to have largely ignored the issue. A screenshot posted by the Twitter user DeFi Ahab shows that a Discord member going by the name fewture alerted the team to the “increase allowance” prompt, before Badger team member blackbear dismissed their concerns by saying it was most likely because “the UI got a bit bugged.”
Affected users have already created a Discord channel dedicated to tracking the hacker. The information posted suggests that the attacker made several transactions connected to the exploit that could be traced back to centralized exchanges with Know Your Customer (KYC) requirements. This would theoretically make the hacker easier to trace.
Judging by recent comments in the Discord channel, community members and Badger core contributors are confident that they’ve already identified the attacker. Peckshield also appears to support this theory, tweeting that “progress has been made,” around the same time information linked to the alleged hacker started appearing in the channel.
DeFi has been hit other similar attacks in recent months, but this specific type of exploit, where the attacker has compromised a project’s user interface rather than its smart contracts, has rarely been seen on this magnitude. At $120 million lost, it’s one of the biggest DeFi hacks to date.
The project’s native token, BADGER, has been hit hard by the incident. It’s down 17.5% today, trading at $22.05 at press time.
Share this article
$136M Lost as Cream Finance Suffers Another Flash Loan Attack
Decentralized lending protocol Cream Finance has been hit by a major flash loan attack. The assailant borrowed $2 billion from Aave and made off with over $136 million worth of…
$60M Stolen From AnubisDAO in Latest DeFi Attack
AnubisDAO has suffered from an attack in which an unknown entity stole $60 million from the project’s auction pool. Funds Drained From AnubisDAO In Suspected Rug pull AnubisDAO, a newly-launched…
How Bumper’s Price Protection Helps DeFi Users Earn Yield on Their A…
Is it possible to build a DeFi protocol that counters crypto’s inherent volatility while also letting holders enjoy the upshot of their assets? Bumper Finance is a DeFi price-protection protocol that aims…
Popsicle Finance to Repay Victims of $25M Attack
DeFi platform Popsicle has announced that it will reimburse victims of a $25 million attack that took place in August. Funds Will Be Paid Back to Users The Popsicle team…