Hackers Steal $115 Million From Users of Bitcoin DeFi-focused BadgerDAO

BadgerDAO token crashes 20% as users and security auditors suspect that the exploit came from the DAO’s web interface.

by Sam Reynolds&Macauley Peterson /
article-image

Blockworks Exclusive Art by Axel Rangel

share

key takeaways

  • BadgerDAO has paused its smart contracts after falling victim to an exploit allowing 2,063.37 BTC and counting to be surreptitiously removed from the protocol
  • Initial security audits and members of the DAO’s Discord believe that the exploit came from its web frontend

Another DeFi protocol has fallen victim to an eight-figure hack, as Badger DAO reports that it has noticed “unauthorized withdrawals” from its protocol. 

Loading Tweet..

BadgerDAO initially reported that $10 million had been pilfered, though reports from blockchain security and analytics company PeckShield puts that number closer to $115 million, over 2,063 bitcoins. One unlucky user lost 900 bitcoin

BadgerDAO’s mission, as it describes it, is to “bring Bitcoin to DeFi” by creating various wrapped bitcoin products. 

Unlike many other hacks of DeFi protocols, this one doesn’t appear to be an attack on the protocol itself, but rather the web interface connecting the protocol to the users’ wallets to the protocol. 

On the BadgerDAO Discord, many users complained that when their wallets interacted with BadgerDAO they were hit with requests for additional permissions and then transferred tokens to wallets controlled by the hackers. 

“It looks like a bunch of users had approvals set for the exploit address allowing it to operate on their vault funds and that was exploited,” Badger developer Tritium wrote on Discord. 

Currently, BadgerDAO has decided to pause all smart contracts to prevent further withdrawals as it investigates further. 

BadgerDAO’s governance token BADGER is down sharply on the news.

The founder of BadgerDAO, Chris Spadafora, who goes by the moniker SpadaBoom (with the ‘B’ as a Bitcoin symbol), announced that the smart contracts would remain paused, preventing withdrawals from the protocol.

“Badger has retained data forensics experts Chainalysis to explore the full scale of the incident and authorities in both the US and Canada have been informed and Badger is cooperating fully with external investigations as well as proceeding with its own,” Spadaboom wrote on Discord Thursday evening (ET).

Token holders are responsible for approving changes to the decentralized protocol on Ethereum, but the Badger.com frontend is separate from the project’s Ethereum smart contracts, and the core team retains some administrative powers.

According to Badger Core team member Mitche50, commenting on the BadgerDAO Discord’s “general” channel:

“It looks like an API key for cloudflare was compromised. Through this, the hacker was able to create a script, inject the script into custom routes and serve the frontend with the malicious script injected.”

Cloudflare is a widely used American website infrastructure company that provides content delivery network and helps sites defend against denial-of-service attacks.

Among the unresolved questions are, how long has this exploit been operative, and why did it go undetected? Mitche50 told Blockworks, “the investigation of exactly what happened is still ongoing.”

It’s also unclear, whether the affected users will be able to be compensated for losses by the DAO, or by insurance protocol Nexus Mutual, which offers insurance on BadgerDAO, currently at a rate of 2.6% annually.

The insurers’ term and conditions note that insurance covers only “contract bugs, economic attacks, including oracle failures [and] governance attacks,” and Nexus’ own governance may determine the present exploit is outside the scope of coverage.

The Nexus team issued a statement in their Discord’s “claims-discussions” channel indicating that BadgerDAO cover holders may be out of luck in this case:

“If this is confirmed as a frontend attack, BadgerDAO’s smart contracts were not impacted and this would not be a covered event.

Frontend attacks are not covered per section 9 of the Protocol Cover wording.”

Even if Nexus were to include the hack as a covered event, as of today, less than $14.25 million in coverage was purchased, according to nexustracker.io.

BadgerDAO launched its first launched yield-generating vaults based on wrapped bitcoin on Ethereum, in December 2020. The project quickly moved to community-based governance through the distribution of the BADGER token, which has been used to vote on over 70 improvements to the protocol since launch.

BadgerDAO’s total value locked peaked in February at $2.32 billion, but the protocol still has $1.1 billion in assets, according to DeFi Llama.

While this hack is significant, it pales in comparison to some of the largest successful exploits that have occurred against DeFi protocols this year. For instancce, in August, hackers made off with nearly $600 million after they exploited bugs in the Poly Network.

This story was updated on December 2, 2021 at 12:10 pm ET with a statement from Nexus Mutual. The headline was updated to clarify that funds were not drained from the BadgerDAO protocol itself, but directly from users of the Badger.com frontend.

This story was updated on December 3, 2021 at 3:30 AM to include a comment from BadgerDAO founder Chris Spadafora.

Get the day’s top crypto news and insights delivered to your inbox every evening. Subscribe to Blockworks’ free newsletter now.

Tags

Upcoming Events

Digital Asset Summit 2025

Javits Center North | 445 11th Ave

Tues - Thurs, March 18 - 20, 2025

Blockworks’ Digital Asset Summit (DAS) will feature conversations between the builders, allocators, and legislators who will shape the trajectory of the digital asset ecosystem in the US and abroad.

buy ticketslearn more

recent research

Unlocked by Template.jpg

Research

Bitcoin Expressivity with BitcoinOS

The BitcoinOS team is the first to have developed and posted a ZK-compressed proof on the Bitcoin network. Other proof verification efforts have been limited to the Signet or testnet deployments. Their work has resulted in the development of BitSNARK, a software library for ZK-compressed fraud proofs on the Bitcoin network. The project aims to provide a horizontal scaling solution, offering a one-stop shop for teams interested in developing a rollup on Bitcoin. This approach shares similarities with the horizontal tech stack scaling in other ecosystems like Cosmos and Optimism, particularly in its focus on simplified verification, bridging standards, and lightweight interoperability.

by 0xMims

/

news

article-image

Analysis

Crypto monthly active addresses are hitting all-time highs: A16z

A16z’s State of Crypto report shows that DeFi has the largest number of daily active addresses, with stablecoins following closely behind

by Katherine Ross /
article-image

DeFi

Conduit sees path to gigagas throughput with new sequencer

G2 is delivering real-world performance breakthroughs at 50-100 Mgas/s, Conduit says

by Macauley Peterson /
article-image

Analysis

Memecoin conceived by AI trumps Trump-linked token sale

World Liberty Financial’s token sale debuted just as an absurd AI-fueled memecoin captured crypto’s attention

by David Canellis /
article-image

Empire Newsletter

World Liberty Financial’s presale overshadowed by memecoin-shilling AI

Plus, would crypto be better out of the limelight?

by Katherine Ross&David Canellis /
article-image

Policy

Coinbase continues with SEC lawsuit over denied FOIA request 

Coinbase hired History Associates in 2023 to assist in retrieving records from the SEC and FDIC

by Casey Wagner /
article-image

Forward Guidance Newsletter

VP Harris’s latest crypto comments fall short on details

Hours after pledging to support Black men’s rights to safely invest in crypto, VP Harris’s Monday night speech mentioned blockchain zero times

by Casey Wagner&Ben Strack /