The Bitcoin (BTC)-based decentralised finance protocol BadgerDAO has just suffered a large-scale attack. According to crypto-security firm PeckShield, the loss to the protocol would amount to nearly $120 million.
BadgerDAO has $120 million stolen
A hacker has managed to exploit a flaw in the BadgerDAO protocol, which offers decentralised finance (DeFi) products to bitcoin (BTC) holders.
Initial reports indicated that the amount of funds siphoned from the protocol was $10 million, but data collected by the company PeckShield shows that the losses are significantly higher.
In fact, at the time of the incident, the hacker’s haul was the equivalent of $120.3 million, as he stole 2,109 BTC and 151 ETH.
One user had his entire wallet, worth approximately 906.5 bitcoins ($51.2 million), siphoned off in a single transaction.
Here is the current whereabouts as well as the total loss: $120.3M (with ~2.1k BTC + 151 ETH) @BadgerDAO pic.twitter.com/fJ4hJcMWTq
– PeckShield Inc. (@peckshield) December 2, 2021
BadgerDAO quickly confirmed the attack, saying on Twitter:
Badger has received reports of unauthorized withdrawals of user funds. While Badger engineers are investigating this matter, all smart contracts have been paused to prevent further withdrawals. Our investigation is ongoing and we will release more information as soon as possible. “
What really happened? On this point, PeckShield says a flaw in BadgerDAO was exploited through the user interface, not from the protocol’s smart contracts.
Users affected by this attack explain that when they wanted to retrieve their yield farming rewards, their wallets asked them for additional permissions.
It appears that a number of users had set permissions for the hacker’s address to interact with their wallet funds and this was exploited,” said Tritium, a Badger contributor.
In terms of stolen value, this is the 4th largest hack in the history of decentralised finance. As Rekt’s leaderboard shows, the podium is currently made up of Poly Network ($610m), Compound ($147m) and Cream Finance ($130m).
Shortly after the first rumours about the hack, the price of the BADGER token started to fall. The eponymous protocol token lost nearly 19% over a 10-hour period, which is relatively mild for such a protocol-compromising attack.
BADGER token price trend (Source: TradingView)
What to do if you have already used BadgerDAO
In order to protect yourself from any potential loss, there are a few steps you should take to secure your funds.
Go to this page of Etherscan, which allows you to revoke your approvals from any decentralized application.
Click on the “Connect to Web3” button to connect your wallet. Next, enter this address “0x1fcdb04d0c5364fbd92c73ca8af9baa72c269107”. This is the address of the hacker.
If your search yields a result, simply revoke the approval with the “Revoke” button.
At the time of writing, BagderDAO is probably working on a patch, but please take a few minutes to check that you are not affected by the hack.
