BadgerDAO details fourth-biggest DeFi exploit after hack » BitcoinerX
The BadgerDAO protocol’s multi-million dollar hack has made it the fourth-largest ever decentralized financial attack.
The Bitcoin DeFi protocol BadgerDAO was hit by a massive hack on December 2 that resulted in a $120 million loss.
The Rekt blog dug into the specifics and conducted a post-mortem on the “roadkill,” as it’s been dubbed.
The hacker took advantage of the dApp’s front end and included further approvals to transfer user tokens to their own address, according to Rekt. The loot was then stolen via this hacked trust.
Wallets drained
DeFiYield, which has BadgerDAO ranked fourth on its list of exploits, explains:
“Many of the affected users claimed that while they were collecting yield farming payments and using Badger vaults, their wallet providers pushed them with bogus requests for further permissions.”
BadgerDAO suspended the system when it noticed that wallets were being drained, but it was two hours and 20 minutes late after the attack began.
https://www.youtube.com/watch?v=sOFVLvGaEAM
The majority of stolen assets were vault deposit tokens that were redeemed for BTC.
BadgerDAO provided a number of vaults with wrapped Bitcoin yields. The Sett vault was the company’s flagship offering, where users could deposit tokenized BTC to earn an automated dividend.
Bogus approval
The approvals occurred when users attempted to make genuine deposits and reward claim transactions, according to Rekt.
This led to the hacker “creating a basis of infinite wallet approvals that allowed him to transfer BTC-related tokens directly from the user’s address,” per the report.
It went on to say that a user had flagged the phony approval on Discord before the attack, but Badger did not look into it.
Cream Finance lost $130 million in a flash loan scam, BXH protocol had its private keys stolen, resulting in a $140 million loss, and the granddaddy of them all — Poly Network — now trails the ill-fated DeFi protocol.
Image courtesy of Cointelegraph News/YouTube
