Pierluigi Paganini
December 03, 2021
Threat actors this week have hacked the decentralized finance platform BadgerDAO and have stolen $120.3 million in crypto funds, blockchain security firm PeckShield reported. Most of the stolen funds, over $117 million, were Bitcoin, while the rest of the stolen assets were stored in the form of interest-bearing Bitcoin, a form of tokenised Bitcoin, and Ether.
BadgerDAO is a decentralised autonomous organisation (DAO) that allows customers to bridge user’s Bitcoin into other blockchains.
Here is the current whereabouts as well as the total loss: $120.3M (with ~2.1k BTC + 151 ETH) @BadgerDAO pic.twitter.com/fJ4hJcMWTq
— PeckShield Inc. (@peckshield) December 2, 2021
The attackers were able to inject a malicious script into the UI of BadgerDAO website that allowed them to intercept and hijack Web3 transactions. The funds were hijacked to the wallet under the control of the attackers.
Peckshield was able to track the stolen funds:
Here is the list of funds that were so far transferred out from victims @BadgerDAO pic.twitter.com/P5pOj1YQ2l
— PeckShield Inc. (@peckshield) December 2, 2021
The malicious script was injected as early as November 10th, but the threat actors ran it at random intervals to avoid detection. BadgeDAO notified US and Canadian authorities and is investigating the security breach with the help of forensics firm Chainalysis.
Badger has received reports of unauthorized withdrawals of user funds.
— ₿adger 🦡 (@BadgerDAO) December 2, 2021
As Badger engineers investigate this, all smart contracts have been paused to prevent further withdrawals.
Our investigation is ongoing and we will release further information as soon as possible.
The investigation continues.
— ₿adger 🦡 (@BadgerDAO) December 2, 2021
Badger has retained data forensics experts Chainalysis to explore the full scale of the incident & authorities in both the US & Canada have been informed & Badger is cooperating fully with external investigations as well as proceeding with its own.
Once Badger discovered the unauthorized transfers, it paused all smart contracts, it also advised users to decline all transactions to addresses that are under the control of the attackers.
According to The Verge website, Badger is investigating is how threat actors had access to Cloudflare via an API key that should’ve been protected by two-factor authentication.
“While the attack didn’t reveal specific flaws within Blockchain tech itself, it managed to exploit the older “web 2.0” technology that most users need to use to perform transactions. Multi-factor authentication systems protect our accounts against many phishing schemes or bulk credential stuffing attacks. Still, experts have repeatedly warned about targeted phishing attacks that can bypass it, while toolkits to automate the process have been available for years.” reported The Verge.
“All [the] blockchain / smart contract audits in the world, and people lose 120m to a Cloudflare API leak by a sloppy team where a dude passes a new approval to his contract in the site header – GG – we still have a long way to go.” A member of the team said, “I’m sure we will have some mitigation procedures proposed after this.” reads the comment of a user within Badger’s Discord.
DeFi platforms are under attack, according to a report published by AtlasVPN in august, the DeFi hacks accounted for 76% of all hacks between January and July 2021. The report states that over $129 million were stolen in DeFi attacks in 2020.
Follow me on Twitter: @securityaffairs and Facebook
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, BadgerDAO)
[adrotate banner=”5″]
[adrotate banner=”13″]
