Threat actors stole $120 M in crypto from BadgerDAO DeFi platform

Threat actors stole $120 million in cryptocurrencies from multiple wallets connected to the decentralized finance platform BadgerDAO.

Threat actors this week have hacked the decentralized finance platform BadgerDAO and have stolen $120.3 million in crypto funds, blockchain security firm PeckShield reported. Most of the stolen funds, over $117 million, were Bitcoin, while the rest of the stolen assets were stored in the form of interest-bearing Bitcoin, a form of tokenised Bitcoin, and Ether.

BadgerDAO is a decentralised autonomous organisation (DAO) that allows customers to bridge user’s Bitcoin into other blockchains.

The attackers were able to inject a malicious script into the UI of BadgerDAO website that allowed them to intercept and hijack Web3 transactions. The funds were hijacked to the wallet under the control of the attackers.

Peckshield was able to track the stolen funds:

The malicious script was injected as early as November 10th, but the threat actors ran it at random intervals to avoid detection. BadgeDAO notified US and Canadian authorities and is investigating the security breach with the help of forensics firm Chainalysis.

Once Badger discovered the unauthorized transfers, it paused all smart contracts, it also advised users to decline all transactions to addresses that are under the control of the attackers.

According to The Verge website, Badger is investigating is how threat actors had access to Cloudflare via an API key that should’ve been protected by two-factor authentication.

“While the attack didn’t reveal specific flaws within Blockchain tech itself, it managed to exploit the older “web 2.0” technology that most users need to use to perform transactions. Multi-factor authentication systems protect our accounts against many phishing schemes or bulk credential stuffing attacks. Still, experts have repeatedly warned about targeted phishing attacks that can bypass it, while toolkits to automate the process have been available for years.” reported The Verge.

“All [the] blockchain / smart contract audits in the world, and people lose 120m to a Cloudflare API leak by a sloppy team where a dude passes a new approval to his contract in the site header – GG – we still have a long way to go.” A member of the team said, “I’m sure we will have some mitigation procedures proposed after this.” reads the comment of a user within Badger’s Discord.

DeFi platforms are under attack, according to a report published by AtlasVPN in august, the DeFi hacks accounted for 76% of all hacks between January and July 2021. The report states that over $129 million were stolen in DeFi attacks in 2020.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, BadgerDAO)

[adrotate banner=”5″]

[adrotate banner=”13″]