One of the largest DeFi hacks of all time hit users last night, affecting BadgerDAO, the most popular destination for wrapped Bitcoin yield.
The hack was reported late last night, along with urgent requests to immediately revoke approvals.
As numbers trickled in, the death toll would tick upwards to a whopping $120MM, including over 2K BTC and 151 ETH as tallied by PeckShield.
At issue appears to be a wicked frontend bug. The investigation is ongoing, but early reports point to a compromised Cloudflare API key that allowed the hacker to inject a malicious script into the UI. The script ran periodically, accumulating approvals to a nefarious contract.
Last night the hacker pulled the trigger, draining the funds and quickly bridging back to the BTC mainnet through REN.
If you are interested in following the updates, the Badger Discord has a dedicated thread that may have already identified the perpetrator.
One of the biggest victims in the mess was Celsius wallet, which allegedly lost 900 BTC.
Curve users may be disproportionately affected by the shenanigans. For some time, the ibBTC factory pool had been the best yielding Bitcoin pool by far, offering nearly 20% boosted tAPY, with only one other pool above 5%.
Badger had really upped their participation in the Convex Wars lately. However a $100MM hack could present an existential-level threat to the protocol, with the price of the $BADGER token tumbling 20% last night.
Worst of all, a user allegedly reported this bug to Badger 5 days ago.
How can the casual ape protect themselves from a UI bug? Depending on the degree to which the UI is compromised, it becomes difficult to impossible. There’s only one foolproof method.
Yet as abstinence education programs have learned, chastity is an ineffective strategy against irresistible temptation.
In this case, the best method is to review the transaction details very carefully if you are using the frontend. Make sure the addresses match up perfectly.
More technical users can copy the contract calldata and simulate the transaction in a forked environment using Brownie. If the contract call works as expected, you can then rerun the transaction directly in mainnet for the safest aping. Perhaps a handsome gentleman will take it upon himself to provide a video tutorial for casual users shortly.
The problem with this level of scrutiny is it makes DeFi extremely inefficient to the average user. Badger had been around for some time, and other than a slow rebase, they had been widely safe from hacking.
For frontend developers, make sure to never include any third party libraries wherever possible. These just open up massive security issues.
Disclaimers! Author has no position around BadgerDAO.