BadgerDAO, a decentralized autonomous organization focused on bringing Bitcoin to DeFi, has fallen victim to a hack. The prominent player in decentralized finance lost around $10 million in various cryptocurrencies from its yield vault protocol, CoinDesk reported.
Weakness in interface exploited?
The first account of possible problems emerged last night in the protocol’s Discord. At present, the community is speculating that the hack came from an exploited weakness in the Badger.com user interface, not in the core protocol contracts.
Users that were affected by the hack noticed their wallet providers prompting spurious requests for additional permissions while claiming yield farming rewards and interacting with Badger vaults. Badger core contributor Tritium wrote on Discord:
“It looks like a bunch of users had approvals set for the exploit address allowing [the address] to operate on their vault funds and that was exploited. Once we noticed we froze all the vaults so nothing can move and are trying to figure out where the approvals came from, how many people have them, and what next steps are.
The team also confirmed the exploit on Twitter:
Badger has received reports of unauthorized withdrawals of user funds. As Badger engineers investigate this, all smart contracts have been paused to prevent further withdrawals. Our investigation is ongoing and we will release further information as soon as possible.
Bulk of funds drained yesterday
According to insiders, the hacker or hackers took 136,000 cvxCRV, 185 WBTC, 64,000 veCVX, and various forms of synthetic and vaulted Bitcoin from affected wallets, worth more than $10 million in total. While the malicious permission requests may have been made weeks prior to the attack, most funds were drained last night.
Community recommends using Debank and Unrekt to revoke permission
The contracts may have been paused, but community members recommend that depositors use Debank, Unrekt, or a similar tool to revoke permissions for the malicious entity.
BADGER is the native governance token of BadgerDAO. It is an ERC-20 token with a maximum fixed supply of 21 million. It is currently traded on Ethereum, Binance Smart Chain, and Polygon, with support coming soon for Fantom. At the time of writing, BADGER has lost 15% on the day to around $22.50 per token.
Most prominent hacks
Although $10 million is a serious loss by anyone’s standards, it pales in comparison to BitGrail’s $146 million hack in 2018 and KuCoin’s hack of $281 million in 2020, not to mention Japanese exchange MtGox, which collapsed after $450 million was drained from it in 2014.
Contributors
