The DeFi protocol BadgerDAO has lost more than $120 million in various cryptocurrencies following a hack. On Wednesday night, a hacker has managed to steal funds from several crypto wallets connected to the decentralized finance platform called BadgerDAO.
BadgerDAO hacked: $120M worth funds stolen from various wallets
According to the report of PeckShield, a data and security analytics firm, the total amount lost in the hack was around 2,100 Bitcoin and 151 Ether.
Here is the current whereabouts as well as the total loss: $120.3M (with ~2.1k BTC + 151 ETH) @BadgerDAO pic.twitter.com/fJ4hJcMWTq
— PeckShield Inc. (@peckshield) December 2, 2021
On Wednesday around 9 p.m. ET, the users started complaining about the issue on the platform’s Discord channel.
It is speculated that the hack was caused by an exploit in the Badger.com user interface, and not by a vulnerability in the core contracts.
A large number of users reported that their wallet providers were asking for additional permissions when they were trying to interact with their Badger vaults.
Badger core contributor Tritium stated on Discord that: “It looks like a bunch of users had approvals set for the exploit address allowing [the address] to operate on their vault funds and that was exploited. Once we noticed we froze all the vaults so nothing can move and are trying to figure out where the approvals came from, how many people have them, and what next steps are.”
The hack is officially confirmed by a tweet:
Badger has received reports of unauthorized withdrawals of user funds.
As Badger engineers investigate this, all smart contracts have been paused to prevent further withdrawals.
Our investigation is ongoing and we will release further information as soon as possible.
— ₿adger 🦡 (@BadgerDAO) December 2, 2021
Once the attack was identified by Badger, the platform suspended all smart contract operations, effectively shutting down the platform. Users were advised to refuse any transactions to the attacker’s addresses.
Even though hackers stole the funds on Wednesday night, the malicious permissions could have been requested long before the attack took place.