GCR

On Dec 2nd, BadgerDao was a vicious, front-end attack victim. The hacker used compromised API keys created without authorization or the express knowledge of the Badger team.
The total loss breakdown: $120.3M (2.1k BTC + 151 ETH)The hacker ultimately stole $130 million in funds, but approximately $9 million was recoverable since those funds were transferred but not extracted from Badger’s vaults.

Investigating The Crime

With help from Peckshield, a blockchain security and data analytics company, Badger is still investigating the incident. However, members of the Badger team have openly reported the issue came from someone inserting a malicious script into the UI of the website. Any visitor to the site who encountered the “maliciously injected snippet” would trigger a Web3 transaction requesting the transfer of the victim’s tokens to the hacker’s address.

According to the team, the hacker ran the code in early November, testing it at irregular intervals to avoid discovery.
After a flood of community members reported the unauthorized transfers, Badger paused all smart contracts, freezing its platform and strongly advising community members to decline all transactions.

Before the hack, Badgers price sat around $27.22, but 4 days after the incident price dropped to $14.79, almost 50%.

Badger is currently voting on a proposition to unfreeze the community assets, but releasing transactions might trigger a mass exodus and a significant drop in price for the BadgerDAOs coin. Some estimate as high as a 75% drop in price, taking it from $14 per coin to around $5. Another problem posed is how to repay losses, if at all.

Last Hack Of The Year

However, the 120M stolen from BadgerDAO pales compared to the largest DeFi hack just four months earlier. In August 2021, hackers robbed Poly Network of more than $600 million. Surprisingly the attacker returned the funds after a plea from the community, a strategy Badger has also attempted to reproduce.

As DAOs grow and face many trials, we will see pillars of DeFi rise and fall. Though the hack wasn’t the community’s fault, the brunt of the damage and the clean-up will be their collective responsibility. Luckily, the attack didn’t reveal specific flaws within Blockchain tech. Instead, it exploited older “web 2.0” transaction technology making this hack is more of a speed bump than a fault in the overall growth and promise of Web3.