Hacker Drains $115 Million From DeFi Protocol BadgerDAO
Another DeFi protocol has fallen victim to a serious hack, after the BadgerDAO reported that they had noticed "unauthorized withdrawals" from their protocol.
BadgerDAO initially stated that $10 million had been stolen, though reports from security and blockchain analytics company PeckShield put that number closer to $115 million, or over 2,063 BTC. One user even lost 900 BTC.
Badger has received reports of unauthorized withdrawals of user funds.
As Badger engineers investigate this, all smart contracts have been paused to prevent further withdrawals.
Our investigation is ongoing and we will release further information as soon as possible.
— ₿adgerDAO 🦡 (@BadgerDAO) December 2, 2021
Unlike many other DeFi hacks, this one does not appear to be an attack on the protocol itself, but rather the web interface connecting the protocol to users’ wallets.
On BadgerDAO’s Discord server, many users complained that when their wallets interacted with BadgerDAO, they were hit with requests for additional permissions and then transferred tokens to wallets controlled by the hackers.
RELATED: PayPal Enables Crypto Payments
BadgerDAO has currently decided to pause all smart contracts to prevent further withdrawals while it investigates further.
The BadgerDAO’s very own governence token, BADGER, plummeted after news broke out.
The protocol’s founder, Chris Spadafora had not yet responded to the news on Twitter at the time of publication.
According to Mitche50 of the Badger Core team:
“It appears that the API key for Cloudflare has been compromised. Through this, the hacker was able to create a script and inject it into custom routes.”
Cloudflare is a widely used US website infrastructure company that provides a content delivery network and helps sites defend against denial of service attacks.
It is also unclear whether affected users will be able to be compensated for losses by the DAO or by the Nexus Mutual insurance protocol, which offers BadgerDAO insurance at a rate of 2.6% per year.
The insurers’ terms note that the insurance only covers “contract bugs, economic attacks including oracle failures [and] network management attacks”.
While this hack is significant, it pales in comparison to some of the major successful exploits that have happened against DeFi protocols this year. For example, in August hackers made off with nearly $600 million after exploiting bugs in the Poly Network.