$120 million got drained from BadgerDAO
BadgerDAO is yet another DeFi protocol that has fallen victim to a massive attack, only this time the hack was more old-fashioned.
Like with any new technology, Blockchain has its own vulnerabilities. So much so that it is becoming more and more evident through hacks of multiple DeFi protocols. The latest to hit the ground is Badger DAO & with its fall several issues around DeFi have come to light.
Let's take a look.
What is BadgerDAO?
A relatively new project, BadgerDAO is a DeFi protocol focused on providing yield for Bitcoin. Simply put, users can use BTC to secure loans. It is built on the Ethereum platform & provides vaults where users can store their BTC which can then be used within DeFi applications.
Security researchers, PeckShield, were the first to unearth the hack worth $120.3M in crypto. The affected wallets were those who gave the app “infinite approval”. While protocols like BadgerDAO are decentralized & can be interacted with directly, it does have an element of risk.
What is Unlimited Approval ?
Many apps request an unlimited allowance from the users. This is done sometimes in place of setting an allowance of exactly the amount that's being deposited. This is to avoid recurring double transactions when the user will want to use the dApp again.
The problem, however, is that approving unlimited allowances can be very dangerous. Bugs can exist and exploits can happen even in established projects. This exposes your deposited funds and tokens to these risks.
How did the exploit happen in Badger ?
An unknown party inserted additional approvals to send users' tokens to their own address. The attacker used this stolen trust to fill their own wallet. Once this became noticeable, the BadgerDAO team froze all the vaults so nothing else could move.
The hack did not involve smart contract exploits. Instead, it was a front-end attack at BadgerDAO's web infrastructure. The approvals presented themselves when users attempted to make legitimate deposits, building a base of unlimited wallet approvals that later got misused.
A user even flagged the suspicious increase allowance approval in Discord. But the issue wasn't given much heed and was set aside on the assumption that the UI might be bugged.
Nexus mutual will not payout cover
Nexus Mutual, which offers insurance on BadgerDAO, issued a statement saying they will not cover this event if it was a frontend attack. A frontend attack is carried out at the user interface level rather than at the level of a project’s smart contracts.
How to stay safe
For anyone in the world of crypto, DeFi & Web3, it is ultimately on them to learn how approvals & transactions really work. One way to go about it is to inspect & revoke permissions granted to different smart contracts. revoke.cash works towards this cause.
Contracts can also be verified on Etherscan, a blockchain explorer for the Ethereum network. Any contract can be easily verified by copying & pasting the address into Etherscan before signing the transaction.
Conclusion
DeFi is a fast-moving industry. The amount of funds flowing through it makes it a honeypot for attackers & billions of dollars are lost to these scams. But, this latest event might shape the growth of DeFi insurance & expand security awareness beyond protocols and encryption.
Endnote
For more interesting crypto developments and updates, subscribe to our daily newsletter.
#CryptoMatters