Hackers Steal $119M From ‘Web3’ Crypto Project With Old School Attack

An unknown hacker or hackers stole a reported $119 million in cryptocurrency from a blockchain-based decentralized finance (DeFi) platform on Wednesday. 

In a Tweet on Wednesday, BadgerDAO (decentralized autonomous organization) wrote that it received “reports of unauthorized withdrawals of user funds.” According to blockchain security company PeckShield, the hackers stole around 2100 BTC ($118,500,000) and 151 ETH ($679,000) worth of cryptocurrency tokens. 

Notably, the hack did not involve complicated smart contract exploits. Instead, it was a front-end attack targeting BadgerDAO's web infrastructure, in particular its Cloudflare account, BadgerDAO’s content delivery network. When interacting with BadgerDAO using a Metamask wallet, users were confronted with illicit permission requests. Users noticed the attack when they saw that their wallets were being emptied, and BadgerDAO then “paused” all smart contracts.  

Kryptobi, who said he is on the BadgerDAO support team and has been looking into the hack, told Motherboard that it appears someone injected a malicious script into BadgerDAO’s frontend after compromising an API key for BadgerDAO’s Cloudflare account. Cloudflare is a web infrastructure, content delivery network, and website security company, which is used by millions of sites on the internet. 

A core team member of the Badger team, who goes by Jonto, confirmed this was the entry point the hacker exploited. 

“The malicious script basically tricked people into giving the address rights to send the tokens to the exploiter address,” Jonto told Motherboard in an online chat. 

BadgerDAO’s admins and developers have been doing damage control in the official Discord channel. 

“Everyone is angry and shocked and [sic] what happened,” a person who works on BadgerDAO and goes by blackbear, wrote on the organization’s official Discord channel, where many people are complaining about having their cryptocurrency stolen. “Situation is shitty but I have hope that we will learn from it and we will overcome it, I have been involved with Badger since it launched and the work the team has done and does has never disappointed me.”

“I have most of my net-worth in Badger and I was affected by this attack too, also got the biggest hit in my life, and pretty sure other team members, who have the most faith in the project, have been affected too,” blackbear added. “I understand every single one of you, this is a major setback.” 

DeFi platforms like BadgerDAO have proliferated recently, with billions of dollars lost to scams and hacks along the way in the fast-moving industry. The idea is to create financial systems based on the blockchain, and BadgerDAO in particular was designed to be a "bridge" for people to take, say, their Bitcoin, and use it equivalently on Ethereum-based DeFi projects by "wrapping" it. 

Earlier this year, the crypto lending service C.R.E.A.M. got exploited via a complex "flash loan" and lost $130 million, and a hacker stole around $600 million from the popular platform Poly Network—and later returned the money in one of the most bizarre hacks of the year. These are just examples from this year, there have been many more in years prior.   

Notably, though, the BadgerDAO attack seems to not have targeted the smart contracts or used any clever blockchain trickery. Instead, it was an attack targeting Badger’s web infrastructure. 

As it turns out, so-called web3 can depend heavily on good old web1 security. 

“Supply chain integrity means every link in the chain,” said Dan Guido, the founder of Trail of Bits, a cybersecurity company that specializes in cryptocurrency and smart contracts audits. “Badger clearly thought through parts of their development and deployment process, using simple and secure tools like Github and a single-page web application. However, success for supply chain integrity requires perfection, and instantly accurate security monitoring. If Cloudflare is ultimately responsible for serving content to users, then it needs the same, carefully thought out security procedures. IT security still matters, and in many ways matters even more for blockchain companies.”

The BadgerDAO hack even caught the attention of mainstream security professionals. 

Matthew Green, a cryptography and computer science professor at Johns Hopkins University, wrote on Twitter that “it’s funny how little computer security people know about the [decentralized applications] ecosystem. It’s like they’re living in the hotel from The Shining and they have no idea what’s going down in Room 237.”

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.