DeFi Protocol BadgerDAO Exploited: $120 Million in Funds Drained

BadgerDAO is the latest decentralised finance (DeFi) protocol to be hit by hackers, draining US$120 million worth of cryptocurrencies. Hackers obtained the API key for the protocol and launched a front-end attack that had users making unwanted transactions.

On December 1, BadgerDAO received reports of unauthorised withdrawals from their users’ accounts. The team’s engineers responded by pausing all smart contracts to stop any further withdrawals. However, it turns out that the hacker(s) used malicious contract permissions to drain funds from the Badger DAO yield vault.

“It looks like a bunch of users had approvals set for the exploit address allowing [the address] to operate on their vault funds, and that was exploited,” Badger core contributor Tritium wrote on Discord.

A Compromised Third Party

The postmortem stated that the hack didn’t involve exploiting smart contracts but rather an attack that targeted the protocol’s front end. According to a BadgerDAO support team member, it appears the attacker injected a malicious script into BadgerDAO’s front end after somehow obtaining an API key for BadgerDAO’s Cloudflare account.

The malicious script basically tricked people into giving the address rights to send the tokens to the exploiter address.

Jonto, Badger core team member

The affected users are stirring on social media, with some believing this might have been a rug-pull effort organised by BadgerDAO itself. Until the official investigation is concluded, however, there will be no way of telling who the culprit is.

Security Still Needs Work in DeFi

The growing pains felt in the DeFi sector are mostly due to how new the field is and that there are still many best practices that need to be established. Earlier this month, US$31 million was stolen in MonoX’s DeFi hack, while October’s Indexed Finance ‘incident’ cost its users US$16 million.

Matthew Green, a cryptography and computer science professor at Johns Hopkins University, wrote on Twitter that “it’s funny how little computer security people know about the [decentralised applications] ecosystem. It’s like they’re living in the hotel from [Kubrick film] The Shining and they have no idea what’s going down in Room 237.”