On Wednesday night, someone emptied funds from various cryptocurrency wallets connected to the decentralized financial platform BadgerDAO. According to Peckshield’s blockchain security and data analysis, which is working with Badger to investigate the heist, the various tokens stolen in the attack are valued at around $120 million.
While the investigation is ongoing, members of the Badger team have told users that they believe the problem was caused by someone who inserted a malicious script into their website’s user interface. , it would intercept Web3 transactions and insert a request to transfer the victim’s tokens to the address chosen by the attacker.
Because of the transparency of the transactions, we can see what happened after the attackers attacked. PeckShield points to a wire transfer in which more than $ 50 million worth of 896 Bitcoins were thrown into the attacker’s coffers. According to the team, the malicious code had already appeared before like on November 10th, when the attackers carried it out at seemingly random intervals so as not to be detected.
Decentralized Financial Systems (or DeFi) rely on blockchain technology to allow cryptocurrency owners to perform more typical financial transactions such as earning interest through loans. BadgerDAO promises users they can “rest easy knowing you never have to give up the private keys for your crypto, withdraw when you want and our strategists are working day and night to put your resources to good use. ” Its protocol allows people who have Bitcoin to “link” their cryptocurrency to the Ethereum platform via its token and take advantage of DeFi opportunities that they would otherwise not have access to.
When Badger learned of the unauthorized transmissions, it paused all smart contracts, essentially freezing its platform, and advising users to reject all transactions to the attacker’s addresses.
On Thursday evening, the company announced that it has “hired data forensics expert Chainalysis to investigate the full extent of the incident and that it has been reported to both US authorities”.
Badger is investigating, among other things, how the attacker apparently accessed Cloudflare via an API key that should have been protected by two-factor authentication. While the attack did not reveal specific flaws in blockchain technology, it did manage to exploit the old “Web 2.0” technology that most users need to conduct transactions. Multi-factor authentication systems protect our accounts from many phishing schemes or massive credential stuffing attacks. However, experts have repeatedly warned of targeted phishing attacks that can prevent this, while toolkits are used to automate the process. A 2019 FBI advisory opinion (pdf) mentioned the growing ability of criminals to circumvent MFA and changes suggested difficult to carry out.
‘One of the most security-conscious teams in DeFi‘
Correct two-factor authentication can be difficult even in typical finance apps, just ask PayPal. The $ 53 million heist that hit the first DAO in 2016 is hopefully enough to expand security awareness beyond protocols and encryption.
A commenter on Badger’s Discord summed up the situation: All [the] blockchain / smart contract audits in the world and people are losing 120 million to a Cloudflare API leak from a careless team where one guy starts a new one We still have a long way to go to approve his contract in the header of the GG site. One team member said, I’m sure that some mitigation procedures will be suggested after that.
What funds can be reclaimed and how those affected are reclaimed is still unknown, but for anyone who lives in the world of crypto, blockchain and Web3 applications, it may ultimately be up to them to learn how permits, signatures and transactions actually work and keep an eye on them. Especially when millions of dollars in stocks can disappear instantly, even if managed by one of the most security-conscious teams in DeFi, as Badger himself says.