On Wednesday evening, someone drained funds from several cryptocurrency wallets connected to the decentralized financial platform BadgerDAO. According to blockchain security and data analytics Peckshield, who is working with Badger to investigate the heist, the various tokens stolen in the attack are worth around $ 120 million.
While the investigation is still ongoing, members of the Badger team told users that they believed the problem was with someone inserting malicious script into their website UI. For all users who interacted with the site when the script was active, it would intercept Web3 transactions and insert a request to transfer the victim’s tokens to the address chosen by the attacker.
Due to the transparent nature of the transactions, we can see what happened after the attackers rushed in. PeckShield points out a transfer who pulled 896 Bitcoin into the attacker’s coffers, worth over $ 50 million. According to the team, the malicious code emerged as early as November 10, as attackers executed it at seemingly random intervals to avoid detection.
Decentralized Finance (or DeFi) systems rely on blockchain technology to allow cryptocurrency owners to perform more typical financial transactions, like earning interest through loans. BadgerDAO promises users that they can “take the peace of mind that you will never have to give up your crypto’s private keys, you can withdraw whenever you want, and our strategists are working day and night to put your assets to work.” . Its protocol allows people with Bitcoin to ‘hook’ their cryptocurrency to the Ethereum platform through its token and take advantage of DeFi opportunities that they might not otherwise have access to.
For now, the smart contract hiatus continues to avoid further withdrawals. Badger will share further updates as they become available.
– adgerDAO (@BadgerDAO) December 2, 2021
Once Badger became aware of the unauthorized transfers, he suspended all smart contracts, essentially freezing his platform, and advised users to deny all transactions to the attacker’s addresses.
Thursday evening, the company said he has “retained the data forensics experts Chainalysis to explore the full extent of the incident and authorities in the United States and Canada have been notified and Badger is fully cooperating with external investigations as well as his own.”
One of the things Badger is investigating is how the attacker apparently accessed Cloudflare through an API key that should have been protected by two-factor authentication. While the attack did not reveal specific flaws within the Blockchain technology itself, it did manage to exploit the older ‘web 2.0’ technology that most users have to use to transact. Multi-factor authentication systems protect our accounts against many phishing schemes or bulk credential stuffing attacks. Yet the experts have repeatedly warned against targeted phishing attacks that can get around it, while toolkits to automate the process have been available for years. a FBI Opinion in 2019 (pdf) called for the increasing abilities of criminals to circumvent AMF and suggested changes or training that could make such attacks more difficult to carry out.
Getting correct two-factor authentication can be difficult even in typical financial applications – just ask PayPal. But incidents like this, or the stolen and returned $ 600 million embezzlement that Poly Network suffered in August, or the $ 53 million heist that hit the first DAO in history in 2016, are hopefully enough to raise awareness of security beyond protocols and encryption.
A Badger’s Discord commentator summed up the situation by saying, “All [the] blockchain / smart contract audits around the world, and people lose $ 120million due to a Cloudflare API leak by a botched team where a guy passes a new approval to his contract in the site header – GG – we still have a long way to go. A team member said: “I’m sure we’ll have some suggested mitigation procedures after this.”
What funds can be recovered and how those affected will be cured is still unknown. But for anyone who lives in the world of crypto, blockchain, and Web3 apps, it may ultimately be up to them to learn and monitor how approvals, signing, and transactions actually work. Particularly when millions of dollars in holdings can vanish in an instant even when managed by “one of DeFi’s most security-conscious teams,” as Badger himself refers.
Crypto / Security folks: We * maybe * can’t run a secure web messaging app because everything is too insecure!
– Matthew Green (@matthew_d_green) December 2, 2021