On Wednesday night, the platform BadgerDAO suffered an attack.
At the time, a malicious attacker found a way to access and drain the wallets of a dozen users with the BadgerDAO yield vault. And their mode of attack involved the use of malicious contract permissions.
According to reports, the nasty front-end exploit has since resulted in the loss of more than $100 million. And while every loss is heartbreaking, a specific user is bearing much of the loss- at negative $50 million worth of Bitcoin.
Speculation is that DAO’s front-end interface suffered a breach, facilitating the hack.
The Hacker’s Yield
According to PeckShield, a blockchain security and analytics firm, the hacker stole various assets. Which include standard tokens like wrapped bitcoin (WBTC) and convex finance (CVX) to more complicated tokens like “ibbtc/sbtcCRV-f.” And since many of these tokens represent assets held in a vault to be redeemed for multiple tokens with varying values — it is hard to total the exact amount of funds stolen.
A few hours ago, PeckShield released the list of affected accounts and the destination accounts of the proceeds.
While quite a number of them have lost huge amounts, the most affected account remains 0x53461e4fddcc1385f1256ae24ce3505be664f249. With an approximate loss of nearly 900 BTC ($50 million).
The developers of BadgerDAO have since confirmed the breach of protocol and are investigating it.
“Badger has received reports of unauthorized withdrawals of user funds. As Badger engineers investigate this, all smart contracts have been paused to prevent further withdrawals. Our investigation is ongoing and we will release further information as soon as possible,” the tweet said.
They also added that they have paused all intelligent contracts to prevent further withdrawals.
BadgerDAO is a decentralized finance protocol that works to bring BTC into the decentralized finance ecosystem on Ethereum. Something it does by creating various bitcoin wrapped products.
Speculations on How the Attack on BadgerDAO Happened
BadgerDAO earlier reported that the amount drained from the protocol was around $10 million. At the time, the company said that users of the protocol had first encountered problems on Discord. Hence, the speculation that the exploit started on the Badger.com – the front-end user interface. And not the core protocol contracts.
When their wallets interacted with BadgerDAO, the users complained that the system hit them with a suspicious number of additional permissions. Which they might accepted, enabling the hacker execute the heist.
“It looks like a bunch of users did have approvals set for the exploit address. Allowing it to operate on their vault funds and that was exploited,” Badger developer Tritium wrote on Discord.
Since the news broke, BADGER, the native token, has dropped by around 15.3% and is currently trading at about $22.73.
Conclusion
The DeFi sector is seeing significant growth in 2021. The market currently stands at around $275.55 billion. But, despite recently reaching an all-time high of $276.92 billion, exploit incidences continue to pull it back. According to Cryptosec, a DeFi monitoring tool, 73 incidences have been reported so far. We can only hope that this will be the last.