Early on Thursday, news of the Bitcoin DeFi protocol BadgerDAO suffered a $120 million exploit that shocked the cryptocurrency industry. While the platform had shared an initial diagnosis of the attack on Twitter, the Rekt blog has now come up with a detailed post-mortem of the hack. It stated, “the badger is dead.”
According to Rekt, the attack had taken place on the front end of the application. The exploiter was able to insert additional approvals to send users’ tokens to their own address. The lost trust was then used by the attacker to fill up their own wallet.
Analytics platform DeFi yield also weighed in on the same, stating,
“Many impacted users alleged that while receiving yield farming rewards and engaging with Badger vaults, their wallet providers prompted them with spurious requests for extra permissions.”
Rekt further explained that while the Badger team paused the project’s smart contracts as soon as they heard the news of the exploit. This was almost 2.5 hours had already passed since the malicious transactions had first begun. In any case, this was owed to an “unusual” feature in Badger’s code that allows its team to pause all activity and halt the transfer of funds.
The majority of the digital assets lost in the attack were vault deposit tokens, as the protocol offered vaults for users to earn a yield on wrapped BTC variants on Ethereum. The stolen tokens were cashed out using the underlying Bitcoin that backed it, while the ERC20 tokens remained on Ethereum. The blog further explained,
“The approvals presented themselves when users attempted to make a legitimate deposit and reward claim transactions, building a base of unlimited wallet approvals that allowed the attacker to transfer BTC related tokens directly from the user’s address.”
Over 500 addresses had approved the hacker’s address, with the first such malicious approval taking place over two weeks ago, according to Peckshield. This means that anyone interacting with the platform since then might have unknowingly approved the attacker’s request to drain funds.
What’s more, the first red flag around the exploit was raised by a user on Discord 12 days ago before the transfers began, according to Rekt, who added that Badger failed to address or look into these issues. The blog post also stated that even as experienced users might have easily spotted such activity.
However, for DeFi to be accepted in the mainstream, platforms will need to streamline their safety precautions. This exploit has been ranked the fourth largest to ever take place in the DeFi ecosystem by DeFiYield, right behind Cream Finance, which had lost $130 million in a flash loan exploit, and the BXH protocol which had private keys compromised resulting in a $140 million loss.
The list is topped by Poly Network, which had suffered a $603 million loss in August after exploiters deployed malicious smart contracts on the network. While most of Poly Network’s funds were returned by the White Hat Attacker, not all networks have been as lucky.
Data from DeFiYield suggests that out of the over $2.33 billion that have overall been lost in DeFi hacks, only $682 million have ever been returned.