The incident was first reported by blockchain audit and security firm PeckShield on December 2 where it was estimated that the hackers ran away with close to 2,100 Bitcoin (BTC) and 151 ether (ETH) via a front-end attack on BadgerDAO.
While there’s no arguing that the attack was unfortunate for users who had deposited their valuable digital assets at Badger for passive yields, it does, however, indicate a very positive signal in terms of the maturity of the DeFi space.
In this article, we will dig deep into the attack on BadgerDAO.
We will analyze how the hackers were able to successfully scam the protocol users into unknowingly draining their wallets off of their holdings. Finally, we will discuss how, despite the immediate implications of the attack, BadgerDAO’s hack could be a net positive development for crypto, and in particular, the DeFi space at large.
How was BadgerDAO Attacked?
Another month, another DeFi exploit. This time, the misfortune was BadgerDAO’s – a DeFi protocol that is widely considered to be the leading Bitcoin-focused platform in the Ethereum DeFi ecosystem.
For the uninitiated, BadgerDAO is a DeFi protocol that aims to capture the rapidly rising demand for Bitcoin utility on DeFi.
Specifically, Badger uses synthetic BTC assets such as WBTC and RBTC to generate passive yields for BTC holders. The protocol offers a wide array of yield optimization strategies in the form of digital asset vaults where users can simply park their ERC-20 token form of BTC and generate yields as per the estimated return displayed by each vault.
On December 2, Badger tweeted and confirmed the hack which saw $120 million worth of crypto assets vanish from the protocol within a matter of minutes. The protocol tweeted:
“Badger has received reports of unauthorized withdrawals of user funds. As Badger engineers investigate this, all smart contracts have been paused to prevent further withdrawals.”
The transaction can be verified on Etherscan here where we can see that one user lost almost 900 BTC as a result of the exploit.
In a detailed documentation of the attack, PeckSheild determined that the exploiter stole a wide range of digital assets from the protocol such as WBTC, convex finance (CVX), and several LP tokens that can be redeemed for multiple tokens at once, making it difficult to ascertain the exact amount of the funds stolen.
However, rough estimates suggest that the BadgerDAO protocol was compromised for more than $120 million worth of assets.
Similarly, in its own post-mortem report, BadgerDAO noted the attack was essentially a series of unauthorized transactions where the hacker was able to successfully phish users into approving ERC-20 tokens from Badger via the malicious user interface.
Immediately after noticing the irregular smart contract behaviour, BadgerDAO paused all its smart contracts to suspend the withdrawal of digital assets until further notice.
Currently, BadgerDAO governance is developing plans to reimburse the users affected by the exploit. It will be interesting to see what decision the protocol’s governance comes up with given the front-end attacks do not come under the terms and conditions of digital assets insurance policies.
How Is This a Bullish Hack?
While there’s no arguing that the hack of BadgerDAO likely led to the financial ruin of several loyal protocol users, a case can be made for a ‘bullish hack.’
The major difference between this hack and the typical hacks we are used to seeing in the DeFi space is that BadgerDAO was exploited through front-end phishing, unlike the recent hacks of bZx, CREAM Finance, and other DeFi protocols which were the result of inefficiencies and bugs in the smart contracts powering them.
Seeing that hackers are now resorting to front-end attacks instead of finding bugs in smart contract logic and design gives an indication that smart contracts are steadily maturing in terms of security and sophistication.
We might never see 100 percent secure smart contracts, but even if we get them to be 99 percent secured, it is a massive upgrade over subpar smart contracts that continually get exploited.
With time, expect a larger proportion of DeFi hacks to be centered around phishing attacks as we see today with the likes of Facebook, and other tech conglomerates with superior security mechanisms.