- Oops!Something went wrong.Please try again later.
A decentralized finance (DeFi) mainstay is the latest to fall victim to a hack following the loss of $120 million in various cryptocurrencies.
On Wednesday night an attacker drained funds from the wallets of dozens of users of the Badger DAO yield vault protocol using malicious contract permissions. Blockchain data and security analytics company PeckShield has concluded that the total loss amounted to about 2,100 BTC and 151 ETH.
Users first reported possible problems in the protocol’s channel on the Discord messaging app at 9 p.m. ET Wednesday. Speculation in online channels is that the hack is the result of an exploit in the Badger.com user interface, and not in the core protocol contracts. Many affected users report that while claiming yield farming rewards and interacting with Badger vaults, they noticed their wallet providers prompting spurious requests for additional permissions.
“It looks like a bunch of users had approvals set for the exploit address allowing [the address] to operate on their vault funds and that was exploited,” Badger core contributor Tritium wrote on Discord.
“Once we noticed we froze all the vaults so nothing can move and are trying to figure out where the approvals came from, how many people have them, and what next steps are,” he added.
Badger’s official social media channel confirmed the hack on Twitter:
Badger has received reports of unauthorized withdrawals of user funds.
As Badger engineers investigate this, all smart contracts have been paused to prevent further withdrawals.
Our investigation is ongoing and we will release further information as soon as possible.
— ₿adgerDAO 🦡 (@BadgerDAO) December 2, 2021
A Badger representative didn’t respond to a request for comment by the time of publication.
While the bulk of the funds were drained Wednesday night, the malicious permission requests may have been made weeks prior to the attack. Though the protocol contracts are paused, community members are advising that depositors use tools like Debank and Unrekt to revoke permissions for the malicious contract.
At the time of writing BadgerDAO’s BADGER token was down 21% to $21.64 over the past 24 hours.
UPDATE (Dec. 2, 11:10 UTC): Updates estimate of amount stolen, token price.