Bitcoin DeFi tool BadgerDAO hit by estimated $120 million hack
While the hacked project investigates the attack, early estimates reveal the scope of the damage, with one of the most affected users losing roughly 900 Bitcoin.
Decentralized autonomous organization BadgerDAO recently suffered a major exploit, and according to the current speculation the attack was executed via the DeFi protocol’s front-end.
Without revealing any details related to the attack, the team confirmed receiving reports of unauthorized withdrawals of user funds on Twitter, announcing it paused all smart contracts in order to halt further damage.
BadgerDAO leverages infrastructure that allows users to bridge their Bitcoin to other blockchains, thus enabling them to use it as collateral for earning yield in DeFi applications (Dapps).
Counting victims
While confirming that they have “received reports of unauthorized withdrawals of user funds,” the Badger team assured they are investigating the issue.
Badger has received reports of unauthorized withdrawals of user funds.
As Badger engineers investigate this, all smart contracts have been paused to prevent further withdrawals.
Our investigation is ongoing and we will release further information as soon as possible.
— ₿adgerDAO 🦡 (@BadgerDAO) December 2, 2021
Meanwhile, PackShield listed the funds that were transferred out during the attack on Twitter, revealing brutal losses, crossing $120 million.
Here is the current whereabouts as well as the total loss: $120.3M (with ~2.1k BTC + 151 ETH) @BadgerDAO pic.twitter.com/fJ4hJcMWTq
— PeckShield Inc. (@peckshield) December 2, 2021
According to the blockchain security and data analytics company, one of the most affected users lost roughly 900 Bitcoin.
Front-end hack
Judging by the early user reports, the attack started on late Wednesday/early Thursday, and according to current speculation on the protocol’s official Discord channel, an API key for Cloudflare was compromised, which allowed the attacker to tamper with Badger’s front-end interface.
From the @BadgerDAO discord, it looks like the hack took place via script injection through a Cloudflare API key.
Total present estimate of loss: $130m pic.twitter.com/PVChCEnQis
— Ram (@hiddentao) December 2, 2021
“It looks like a bunch of users had approvals set for the exploit address allowing it to operate on their vault funds and that was exploited,” wrote Badger core contributor Tritium on Discord, while clarifying how users were tricked into approving unwanted transactions.
The price of BADGER is down 14% at the time of writing.
The protocol was hit just days before marking a one-year anniversary.