In one of the costliest heists that the cryptocurrency industry has ever seen, a phishing attack had cost the BadgerDAO tokens worth millions of dollars earlier this week. The protocol has now released a detailed analysis of the unauthorized transactions that had resulted in this huge loss of funds.
In a ‘Technical Post Mortem’ published by the protocol’s team in partnership with the cybersecurity firm Mandiant, it was highlighted that the phishing incident that occurred on December 2 was the result of a “maliciously injected snippet provided by Cloudflare Workers.”
Cloudflare is an interface that allows users to run scripts that “operate on and alter web traffic as it flows through Cloudflare proxies.”
The report further added that the attacker had deployed such a script through a compromised API key, which it had created through successful evasion from Badger engineers. This API access allowed the attacker(s) to subsequently inject malicious code in the protocol in a periodic manner so that only a subset of the userbase is affected.
Initial diagnosis of the attack had explained that by stealthily asking for extra permissions from users engaging with Badger vaults, the attackers had received approvals to send users’ tokens to their own address.
The attack had begun as early as August-September, according to BadgerDAO’s analysis. Cloudflare users had first noticed that unauthorized users were able to create accounts and were also able to create and view (Global) API keys without completing the email verification process, noting that upon email verification, the attacker would be granted API access.
Badger found that three such accounts had been created and granted API keys without authorization in August and September. This API access was used by the attacker on 10 November to inject malicious scripts via Cloudflare Workers into the protocol’s webpage. The same intercepted web3 transactions and prompted users to allow a foreign address approval to operate on ERC-20 tokens in their wallet.
The analysis further noted,
“The attacker used several anti-detection techniques in their attack. They applied and removed the script periodically over the month of November, often for very short periods of time. The attacker also only targeted wallets over a certain balance.”
Once alerts about a suspiciously large transaction were raised on Discord, the protocol paused most vault activity within 30 minutes, while those with an older contract were stopped approximately 15 hours later. The saving grace was the protocol’s BIP-33, which gives it the ability to pause contracts approved on the guardian contract, stopping all kinds of transactions from taking place.
Nevertheless, the total value lost raked up to over $130 million, out of which only $9 million are recoverable, according to the blog post. The protocol is working towards recovering some funds that were transferred by the exploiter but not yet withdrawn from the Badger vaults. It is also in touch with Chainalaysis, Mandiant, and the crypto exchanges as well as authorities in the U.S. and Canada for the same.
Additionally, Badger will also be completing third party audits of all web2 and web3 infrastructure before relaunching the protocol, with plans of a hack-a-thon and education drives also in the pipeline.
The recovery phase also includes the BIP-76, which is aimed at upgrading smart contracts. This will allow for the rescue of user funds, improve pausing functionality, and introduce additional safeguards through blacklisting.