DeFi protocol BadgerDAO exploited for $120 million in front-end attack

Quick Take

  • DeFi protocol BadgerDAO was exploited earlier today for $120 million.
  • It appears that its front end was compromised and users were tricked into making unwanted transactions.

DeFi protocol BadgerDAO has fallen victim to a large hack. According to security researchers PeckShield, $120.3 million was stolen from users of the protocol.

BadgerDAO is a DeFi protocol focused on providing yield for bitcoin. The idea is that you bridge your bitcoin over onto a smart contract platform like Ethereum, as wrapped bitcoin, which you can then use within DeFi applications. BadgerDAO provides a variety of vaults where users can park their wrapped bitcoin and earn yields depending on the yield generation strategies used by the vaults.

"Badger has received reports of unauthorized withdrawals of user funds. As Badger engineers investigate this, all smart contracts have been paused to prevent further withdrawals," BadgerDAO tweeted today, confirming the exploit.

PeckShield documented the variety of assets stolen in the hack, which range from tokens like wrapped bitcoin (WBTC) and convex finance (CVX) to more complicated tokens like "ibbtc/sbtcCRV-f." Many of the tokens represent assets held in a vault, meaning they can be redeemed for multiple tokens with varying values — making it harder to total the amount of funds stolen.

One user had around 900 bitcoin ($50.8 million) worth of tokens stolen in a single transaction. Another lost $5 million worth of tokens in one go.

The front end to the BadgerDAO website was reportedly acccessed, according to comments in the project's Discord channel, and used to intercept transactions. One admin said it appears that an API key for Cloudflare was compromised.

While protocols like BadgerDAO are decentralized and can be interacted with directly, it requires specialized knowledge to do so. Most users will use a front end like the BadgerDAO website (although alternative front ends can be used). But this does have an element of risk: if the front end gets comprised, as in this case, then it can lead to loss of funds.

For more breaking stories like this, make sure to follow The Block on Twitter.


© 2022 The Block Crypto, Inc. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.