The Badger DAO Decentralized Finance Protocol ( DeFi ) was the victim of a major flaw that resulted in a hacker attack. As a result, the protocol lost around US$ 120 million, or R$ 676 million at the current price.
Initially, users of the protocol reported problems with the Badger DAO Discord as late as Wednesday (1). Five hours later, on Thursday (2), PeckShield, a blockchain security company, confirmed the attack.
In total, the flaw compromised 2,100 Wrapped Bitcoins (WBTC) and 151Ether (ETH) . According to PeckShield, a single user would have lost around 900 WBTC, which corresponds to R$289 million.
Deeper failure than expected
As of this writing, Badger DAO has not explained what prompted the attack, but among investors and users, current speculation is that the attack occurred because of an exploit in the UI of the Badger website.
In other words, the problem would be present on the website and not in the main protocol contracts. According to user reports, when accessing the Badger DAO website, wallet providers requested permissions to withdraw wallets.
“Badger has received reports of unauthorized withdrawals of user funds. All smart contracts have been paused to prevent further withdrawals and our engineers are looking into the situation. Our investigation is ongoing and we will release more information as soon as possible.”
It should be noted that the WBTC is a token created on the Ethereum network that emulates the BTC price. That is, there was no direct loss of BTC, but an attack that stole Ethereum tokens. The protocol also suffered losses in other synthetic tokens: 136,000 cvxCRV (CRV Convexo), 64 thousand veCVX and others.
Possible rug pull
However, some users speculate that the attacker carried out the thefts surreptitiously, with approvals between the legitimate deposit and reward transactions. Therefore, speculation has arisen that this could be a rug pull attack.
Rug pull is an attack in which developers abandon a project and flee with investor funds. This attack usually occurs gradually, with intermittent serves, in order not to arouse suspicion.
A famous rug pull attack occurred with the Squid Token (SQUID), but in this case the theft occurred in just five minutes. As a result, the token dropped from R$16,000 to R$0.01 in this short time span.
However, developer Tritium, who collaborates with Badger, said that some users may have approved the exploit address to operate in their vault funds. Thus, there was also human error in the process.
“It appears that many users had approvals set for the exploit address that allows [the address] to operate on their vault funds and that it was exploited. Once we figure it out, we freeze all the vaults so nothing can move. They're trying to figure out where the approvals came from, how many people have them, and what the next steps are,” he said.
The Badger DAO attack is the second major attack brought against a DeFi protocol in less than three days. A failure in the MonoX protocol resulted in the loss of R$ 150 million on Monday (30), as reported by CriptoFácil .
Also read: Vitreo launches two more cryptoactive funds focusing on Smart Coins
Also Read: Binance Smart Chain Successfully Implements BNB Continuous Burning Scheme
Also read: Santos token staking pool kicks in at PancakeSwap: see how to win