blockworks.co
Another DeFi protocol has fallen victim to an eight-figure hack, as Badger DAO reports that it has noticed “unauthorized withdrawals” from its protocol.
Badger has received reports of unauthorized withdrawals of user funds.
— ₿adgerDAO 🦡 (@BadgerDAO) December 2, 2021
As Badger engineers investigate this, all smart contracts have been paused to prevent further withdrawals.
Our investigation is ongoing and we will release further information as soon as possible.
BadgerDAO initially reported that $10 million had been pilfered, though reports from blockchain security and analytics company PeckShield puts that number closer to $115 million, over 2063 bitcoins. One unlucky user lost 900 bitcoin.
BadgerDAO’s mission, as it describes it, is to “bring Bitcoin to DeFi” by creating various wrapped bitcoin products.
Unlike many other hacks of DeFi protocols, this one doesn’t appear to be an attack on the protocol itself, but rather the web interface connecting the protocol to the users’ wallets to the protocol.
On the BadgerDAO Discord, many users complained that when their wallets interacted with BadgerDAO they were hit with requests for additional permissions and then transferred tokens to wallets controlled by the hackers.
“It looks like a bunch of users had approvals set for the exploit address allowing it to operate on their vault funds and that was exploited,” Badger developer Tritium wrote on Discord.
Currently, BadgerDAO has decided to pause all smart contracts to prevent further withdrawals as it investigates further.
BadgerDAO’s governance token BADGER is down sharply on the news.
The founder of BadgerDAO, Chris Spadafora, who goes by the moniker SpadaBoom (with the ‘B’ as a Bitcoin symbol), had not reacted to the news on Twitter at the time of publication.
Token holders are responsible for approving changes to the decentralized protocol on Ethereum, but the Badger.com frontend is separate from the project’s Ethereum smart contracts.
According to Badger Core team member Mitche50, commenting on the BadgerDAO Discord’s “general” channel:
“It looks like an API key for cloudflare was compromised. Through this, the hacker was able to create a script, inject the script into custom routes and serve the frontend with the malicious script injected.”
Cloudflare is a widely used American website infrastructure company that provides content delivery network and helps sites defend against denial-of-service attacks.
Among the unresolved questions are, how long has this exploit been operative, and why did it go undetected? Mitche50 told Blockworks, “the investigation of exactly what happened is still ongoing.”
It’s also unclear, whether the affected users will be able to be compensated for losses by the DAO, or by insurance protocol Nexus Mutual, which offers insurance on BadgerDAO at a rate of 2.6% annually.
The insurers’ term and conditions note that insurance covers only “contract bugs, economic attacks, including oracle failures [and] governance attacks,” and Nexus’ own governance may determine the present exploit is outside the scope of coverage. Nexus representatives were still gathering information prior to initiating a claims discussion on the topic as of 8:15 AM ET on Thursday.
Even if Nexus were to include the hack as a covered event, as of today, less than $14.25 million in coverage was purchased, according to nexustracker.io.
While this hack is significant, it pales in comparison to some of the largest successful exploits that have occurred against DeFi protocols this year. For instancce, in August, hackers made off with nearly $600 million after they exploited bugs in the Poly Network.
Get the day’s top crypto news and insights delivered to your inbox every evening. Subscribe to Blockworks’ free newsletter now.