Badger DAO Protocol Suffers $120M Exploit

Badger DAO Protocol Suffers $120M Exploit

Badger DAO Protocol Suffers $120M Exploit

The hacker or hackers may have targeted the platform’s user interface.

The hacker or hackers may have targeted the platform’s user interface.

The hacker or hackers may have targeted the platform’s user interface.

Dec 2, 2021 at 4:51 a.m. UTC
Updated Dec 2, 2021 at 2:40 p.m. UTC

A decentralized finance (DeFi) mainstay is the latest to fall victim to a hack following the loss of $120 million in various cryptocurrencies.

On Wednesday night an attacker drained funds from the wallets of dozens of users of the Badger DAO yield vault protocol using malicious contract permissions. Blockchain data and security analytics company PeckShield has concluded that the total loss amounted to about 2,100 BTC and 151 ETH.

Users first reported possible problems in the protocol’s channel on the Discord messaging app at 9 p.m. ET Wednesday. Speculation in online channels is that the hack is the result of an exploit in the Badger.com user interface, and not in the core protocol contracts. Many affected users report that while claiming yield farming rewards and interacting with Badger vaults, they noticed their wallet providers prompting spurious requests for additional permissions.

“It looks like a bunch of users had approvals set for the exploit address allowing [the address] to operate on their vault funds and that was exploited,” Badger core contributor Tritium wrote on Discord.

“Once we noticed we froze all the vaults so nothing can move and are trying to figure out where the approvals came from, how many people have them, and what next steps are,” he added.

Badger’s official social media channel confirmed the hack on Twitter:

A Badger representative didn’t respond to a request for comment by the time of publication.

While the bulk of the funds were drained Wednesday night, the malicious permission requests may have been made weeks prior to the attack. Though the protocol contracts are paused, community members are advising that depositors use tools like Debank and Unrekt to revoke permissions for the malicious contract.

At the time of writing BadgerDAO’s BADGER token was down 21% to $21.64 over the past 24 hours.

UPDATE (Dec. 2, 11:10 UTC): Updates estimate of amount stolen, token price.

DISCLOSURE

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

Andrew Thurman is a tech reporter at CoinDesk with a focus on DeFi.