DeFi – BadgerDAO’s vaults were emptied of dozens of wallets before it could be frozen.
DeFi – Someone siphoned assets from various bitcoin wallets linked to the decentralized financial website BadgerDAO on Wednesday night. The numerous tokens taken in the hack are worth around $120 million, according to Peckshield, a blockchain security and data analytics firm that is collaborating with Badger to investigate the crime.
While the investigation is still underway, Badger team members have advised consumers that they suspect the problem was caused by someone installing a malicious script into their website’s UI. It would intercept Web3 transactions and inject a request to transfer the victim’s tokens to the attacker’s selected address for all users who interacted with the site while the script was running.
We can observe what happened when the attackers pounced since the transactions are visible. PeckShield pointed to one transfer that dragged 896 Bitcoin valued more than $50 million into the attacker’s hands. The malicious code first emerged on November 10th, according to the researchers, and the attackers executed it at seemingly random intervals to evade discovery.
Decentralized finance (or DeFi) systems use blockchain technology to enable crypto owners to do more traditional financial transactions, such as lending and earning interest. “Rest easy knowing you never have to give over the private keys for your crypto, you can withdraw whenever you want, and our strategists are working day and night to put your assets to work,” BadgerDAO offers users.
Its protocol enables Bitcoin owners to “bridge” their money to the Ethereum platform via its token, allowing them to take advantage of DeFi possibilities that they would otherwise be unable to access.
Badger suspended all smart contracts, effectively freezing its platform, after becoming aware of the illicit transfers, and recommended users to deny all transactions to the attacker’s addresses.
“We’ve recruited data forensics experts Chainalysis to uncover the entire scope of the issue,” the business announced Thursday night. “Authorities in both the US and Canada have been informed, and Badger is working completely with external investigations as well as progressing with its own.”
Badger is looking into how the attacker allegedly gained access to Cloudflare using an API key that should have been secured by two-factor authentication. While the assault did not
uncover any specific faults in Blockchain technology, it did manage to hack the older “web 2.0” technology that most users must employ in order to complete transactions.
Many phishing tactics and mass credential stuffing assaults are protected by multi-factor authentication systems. Despite this, experts have cautioned repeatedly about targeted phishing assaults that may circumvent it, and toolkits to automate the process have been available for years.
An FBI notice in 2019 (pdf) called out criminals’ growing capabilities to bypass MFA and suggested changes or training that could make such attacks harder to pull off.
‘ONE OF THE MOST SECURITY MINDED TEAMS IN DEFI’
Even inside traditional banking apps, getting two-factor authentication properly may be difficult – just ask PayPal. But occurrences like this one, as well as Poly Network’s $600 million hijacking in August and the $53 million robbery that hit the first DAO ever in 2016, should be enough to raise security awareness beyond protocols and encryption.
“All [the] blockchain / smart contract audits in the world, and people lose 120m to a Cloudflare API leak by a shoddy team where a person passes a new permission to his contract in the site header – GG – we still have a long way to go,” one commentator on Badger’s Discord said. “I’m sure we’ll have some mitigating techniques recommended following this,” a team member remarked. It’s yet unclear how much money will be recovered and how people who have been harmed will be compensated.
However, everyone involved in the worlds of crypto, blockchain, and Web3 apps may find it necessary to comprehend how approvals, signatures, and transactions operate and keep an eye on them in the future. Even when maintained by “one of the most security focused teams in DeFi,” as Badger describes itself, millions of dollars in assets might vanish in an instant.