Key Takeaways

  • BadgerDAO has suffered a major frontend attack.
  • The hacker reportedly compromised Badger’s user interface by inserting a malicious script that prompted users to give the hacker permission to spend their funds.
  • Smart contract auditing firm Peckshield has estimated the value of the stolen funds to around $120 million.

Share this article

BadgerDAO, a DeFi protocol for earning yield with tokenized Bitcoin on Ethereum, has fallen victim to an attack. The hacker reportedly added a malicious script to the protocol’s frontend website, prompting users to approve a smart contract transaction giving the script unlimited permission to drain funds from their wallets.

BadgerDAO Suffers Frontend Attack

BadgerDAO, a DeFi protocol with over 30,000 active users and $1.2 billion in total value locked, has been exploited.

The attack occurred early Wednesday. Soon after, many affected users reported suspicious outgoing transactions from their wallets.

It’s suspected that the attacker exploited the protocol’s frontend website rather than its smart contracts. The hacker allegedly inserted a malicious script on Badger’s website that presented users with a transaction to “increase allowance,” which gave the attacker unlimited permission to drain the funds users had deposited in the vaults if they approved the transaction. 

BadgerDAO acknowledged the exploit earlier this morning. In a Twitter statement, the team confirmed that it had “received reports of unauthorized withdrawals of user funds.” The team has paused the project’s smart contracts and is currently investigating the issue. 

According to on-chain data, the exploiter contract was created on Nov. 20. It appears that the attacker waited until multiple users had approved the contract before beginning to drain the funds all at once this morning. 

Commenting on the exploit on the project’s Discord server, Badger core contributor Tritium wrote:

“It looks like a bunch of users had approvals set for the exploit address allowing [the address] to operate on their vault funds and that was exploited.”

Smart contract auditing firm Peckshield has estimated the total losses come to around $120 million. One user reportedly lost nearly 900 Bitcoin, currently worth around $50.7 million, in a single transaction. 

Some users reportedly became aware of the exploit as far back as five days ago and escalated the issue with BadgerDAO developers. The team, however, seems to have largely ignored the issue. A screenshot posted by the Twitter user DeFi Ahab shows that a Discord member going by the name fewture alerted the team to the “increase allowance” prompt, before Badger team member blackbear dismissed their concerns by saying it was most likely because “the UI got a bit bugged.”

Affected users have already created a Discord channel dedicated to tracking the hacker. The information posted suggests that the attacker made several transactions connected to the exploit that could be traced back to centralized exchanges with Know Your Customer (KYC) requirements. This would theoretically make the hacker easier to trace. 

Judging by recent comments in the Discord channel, community members and Badger core contributors are confident that they’ve already identified the attacker. Peckshield also appears to support this theory, tweeting that “progress has been made,” around the same time information linked to the alleged hacker started appearing in the channel.

DeFi has been hit other similar attacks in recent months, but this specific type of exploit, where the attacker has compromised a project’s user interface rather than its smart contracts, has rarely been seen on this magnitude. At $120 million lost, it’s one of the biggest DeFi hacks to date.

The project’s native token, BADGER, has been hit hard by the incident. It’s down 17.5% today, trading at $22.05 at press time.

Share this article