BadgerDAO Post Mortem Details Fourth-Largest DeFi Exploit

The multi-million dollar exploit of the BadgerDAO protocol has made it the fourth largest ever decentralized finance attack.

On Dec 2 the Bitcoin DeFi protocol BadgerDAO suffered a monumental exploit that resulted in the loss of $120 million. The Rekt blog has delved into the details and carried out a post mortem on what it has labeled “roadkill.”

The attacker exploited the front end of the BadgerDAO decentralized application. According to Rekt, the malicious actor inserted additional approvals to send user tokens to their own address. This hijacked trust was then used to pilfer the loot.

DeFiYield, which has added BadgerDAO to the fourth rank in its exploit list, explained:

Many impacted users alleged that while receiving yield farming rewards and engaging with Badger vaults, their wallet providers prompted them with spurious requests for extra permissions.

Too little, too late for BadgerDAO

BadgerDAO paused the system as the news emerged that wallets were being drained, but two hours and 20 minutes after the attack began, it was too little too late.

Most of the stolen assets were vault deposit tokens which were cashed out using the underlying BTC which backed them.

BadgerDAO offered a number of vaults generating yields on wrapped Bitcoin. Its flagship product was the Sett vault where users can deposit tokenized BTC in the vault to generate an automated yield.

Rekt went on to explain that the approvals appeared when users attempted to make legitimate deposits and reward claim transactions. It added that this resulted in “building a base of unlimited wallet approvals that allowed the attacker to transfer BTC-related tokens directly from the user’s address.”

The first instance of approvals for the hacker’s address was almost two weeks ago, according to Peckshield. Anyone interacting with the platform since then, may have inadvertently approved the attacker to drain funds.

It added that a user flagged the spurious approval on Discord before the attack yet Badger did not investigate.

The ill-fated DeFi protocol now rests behind Cream Finance which lost $130 million in a flash loan exploit, BXH protocol which had private keys compromised resulting in a $140 million loss, and the granddaddy of them all — Poly Network.

BADGER prices tank

Predictably, BADGER prices have been hit hard with a 25% slump since the news broke. At the time of press, BADGER was changing hands for just below $21 according to CoinGecko.

The asset has dumped 76% from its Feb 9 all-time high of $89 and chances of recovery are looking slim.