BadgerDAO, a decentralized autonomous organization () working on bringing Bitcoin to decentralized finance ( ), has reportedly fallen victim to a hacking attack possibly resulting in losses over $120 million.
Initial reports suggested the amount of user funds siphoned out of the protocol was $10 million, however, data from security company PeckShield shows that the actual losses are substantially higher.
PeckShield told Decrypt that the total losses amount to $120.3 million.
— PeckShield Inc. (@peckshield) December 2, 2021
Users first reported problems at about 9 pm EST through the project’s Discord channel, as an exploit in BadgerDAO’s front end was named as the most likely issue.
“It looks like a bunch of users had approvals set for the exploit address allowing [the address] to operate on their vault funds and that was exploited,” Badger core contributor Tritium wrote on Discord.
Tritium added that once the problem was identified, the team froze all vaults to prevent the movement of funds, while “trying to figure out where the approvals came from, how many people have them, and what next steps are.”
PeckShield confirmed to Decrypt that the protocol was exploited through the user interface, not the core protocol contracts
While the malicious permission requests may have been made weeks prior to the attack, most funds appear to have been drained last night. Users that have interacted with the malicious contract are also urged to revoke permission from their wallets.
The price of BADGER, the governance token for the Badger DAO, has plummeted by 17% over the last day, according to CoinGecko.
BadgerDAO also took to Twitter to confirm reports of unauthorized withdrawals of user funds.
Badger has received reports of unauthorized withdrawals of user funds.
As Badger engineers investigate this, all smart contracts have been paused to prevent further withdrawals.
Our investigation is ongoing and we will release further information as soon as possible.
— ₿adgerDAO 🦡 (@BadgerDAO) December 2, 2021
“As Badger engineers investigate this, all smart contracts have been paused to prevent further withdrawals. Our investigation is ongoing and we will release further information as soon as possible,” the team added.
Despite this large sum, the BadgerDAO hack pales in comparison to DeFi’s largest hack. In August, Poly Network was robbed of more than $600 million in an exploit. The attacker eventually returned the funds in an odd turn of events (even for crypto).
The grand sum for all hacks in DeFi this year is now a tad larger than the $10.5 billion figure reported at the end of November.