BadgerDAO has suffered a major frontend attack.
The hacker reportedly compromised Badger’s user interface by inserting a malicious script that prompted users to give the hacker permission to spend their funds.
Smart contract auditing firm Peckshield has estimated the value of the stolen funds to around $120 million.
Share this article
BadgerDAO, a DeFi protocol for earning yield with tokenized Bitcoin on Ethereum, has fallen victim to an attack. The hacker reportedly added a malicious script to the protocol’s frontend website, prompting users to approve a smart contract transaction giving the script unlimited permission to drain funds from their wallets.
BadgerDAO Suffers Frontend Attack
BadgerDAO, a DeFi protocol with over 30,000 active users and $1.2 billion in total value locked, has been exploited.
The attack occurred early Wednesday. Soon after, many affected users reported suspicious outgoing transactions from their wallets.
It’s suspected that the attacker exploited the protocol’s frontend website rather than its smart contracts. The hacker allegedly inserted a malicious script on Badger’s website that presented users with a transaction to “increase allowance,” which gave the attacker unlimited permission to drain the funds users had deposited in the vaults if they approved the transaction.
BadgerDAO acknowledged the exploit earlier this morning. In a Twitter statement, the team confirmed that it had “received reports of unauthorized withdrawals of user funds.” The team has paused the project’s smart contracts and is currently investigating the issue.
Badger has received reports of unauthorized withdrawals of user funds.
As Badger engineers investigate this, all smart contracts have been paused to prevent further withdrawals.
Our investigation is ongoing and we will release further information as soon as possible.
— ₿adgerDAO 🦡 (@BadgerDAO) December 2, 2021
According to on-chain data, the exploiter contract was created on Nov. 20. It appears that the attacker waited until multiple users had approved the contract before beginning to drain the funds all at once this morning.
Commenting on the exploit on the project’s Discord server, Badger core contributor Tritium wrote:
“It looks like a bunch of users had approvals set for the exploit address allowing [the address] to operate on their vault funds and that was exploited.”
Smart contract auditing firm Peckshield has estimated the total losses come to around $120 million. One user reportedly lost nearly 900 Bitcoin, currently worth around $50.7 million, in a single transaction.
Some users reportedly became aware of the exploit as far back as five days ago and escalated the issue with BadgerDAO developers. The team, however, seems to have largely ignored the issue. A screenshot posted by the Twitter user DeFi Ahab shows that a Discord member going by the name fewture alerted the team to the “increase allowance” prompt, before Badger team member blackbear dismissed their concerns by saying it was most likely because “the UI got a bit bugged.”
Affected users have already created a Discord channel dedicated to tracking the hacker. The information posted suggests that the attacker made several transactions connected to the exploit that could be traced back to centralized exchanges with Know Your Customer (KYC) requirements. This would theoretically make the hacker easier to trace.
Judging by recent comments in the Discord channel, community members and Badger core contributors are confident that they’ve already identified the attacker. Peckshield also appears to support this theory, tweeting that “progress has been made,” around the same time information linked to the alleged hacker started appearing in the channel.
DeFi has been hit other similar attacks in recent months, but this specific type of exploit, where the attacker has compromised a project’s user interface rather than its smart contracts, has rarely been seen on this magnitude. At $120 million lost, it’s one of the biggest DeFi hacks to date.
The project’s native token, BADGER, has been hit hard by the incident. It’s down 17.5% today, trading at $22.05 at press time.
Share this article
The information on or accessed through this website is obtained from independent sources we believe to be accurate and reliable, but Decentral Media, Inc. makes no representation or warranty as to the timeliness, completeness, or accuracy of any information on or accessed through this website. Decentral Media, Inc. is not an investment advisor. We do not give personalized investment advice or other financial advice. The information on this website is subject to change without notice. Some or all of the information on this website may become outdated, or it may be or become incomplete or inaccurate. We may, but are not obligated to, update any outdated, incomplete, or inaccurate information.
You should never make an investment decision on an ICO, IEO, or other investment based on the information on this website, and you should never interpret or otherwise rely on any of the information on this website as investment advice. We strongly recommend that you consult a licensed investment advisor or other qualified financial professional if you are seeking investment advice on an ICO, IEO, or other investment. We do not accept compensation in any form for analyzing or reporting on any ICO, IEO, cryptocurrency, currency, tokenized sales, securities, or commodities.
See full terms and conditions.
$136M Lost as Cream Finance Suffers Another Flash Loan Attack
Decentralized lending protocol Cream Finance has been hit by a major flash loan attack. The assailant borrowed $2 billion from Aave and made off with over $136 million worth of…
MDEX: Overlooked Decentralized Exchange That Pays You to Trade
Based on statistics from DeBank and dapp.com, one of the top-performing decentralized exchanges by TVL and trading volume this year is MDEX—an AMM-based DEX functioning across the Huobi Eco-chain (HECO), Binance Smart Chain…
$60M Stolen From AnubisDAO in Latest DeFi Attack
AnubisDAO has suffered from an attack in which an unknown entity stole $60 million from the project’s auction pool. Funds Drained From AnubisDAO In Suspected Rug pull AnubisDAO, a newly-launched…
Popsicle Finance to Repay Victims of $25M Attack
DeFi platform Popsicle has announced that it will reimburse victims of a $25 million attack that took place in August. Funds Will Be Paid Back to Users The Popsicle team…