Crypto is a world of highs and lows where the players need to have plenty of heart to stay on. However, crypto theft does happen, with the latest leaving a gaping hole of $120 million. The theft occurred across several crypto wallets connected to the BadgerDAO platform.
Blockchain firm PeckShield is working with Badger to probe the incident, but reports indicate the theft occurred through an actor inserting malicious code in Badger’s website. While the malicious script was active, users who used the site would have their Web3 transactions intercepted, and a request to transfer the user’s tokens to the thief’s address would be executed.
PeckShield has isolated a transfer that pulled more than $50 million worth of bitcoin into the thief’s account. The investigating team also reveals that the first attack was on November 10th, with more operations running randomly after to avoid detection. In all, the thief moved over $117 million worth of bitcoin and kept the rest as interest-bearing bitcoin. This represents 2100 bitcoin tokens and 151 ETH.
BadgerDAO’s platform runs on decentralized finance systems, DeFi, which uses Blockchain to let crypto owners carry out ordinary operations like lending to earn interest. One of BadgerDAO’s selling points is that traders can “rest easy knowing you never have to give up the private keys for your crypto, you can withdraw anytime you like, and our strategists are working day and night to put your assets to work.”
With BadgerDAO’s platform, traders can bridge their bitcoin to the Ethereum platform.
BadgerDAO immediately stopped all smart contracts when it was made aware of the theft, which basically froze the platform. It also informed its users to refrain from transacting with the thief’s address. It is unclear when BadgerDAO will lift the pause.
The company has also “retained data forensics experts Chainalysis to explore the full scale of the incident & authorities in both the US & Canada have been informed & Badger is cooperating fully with external investigations as well as proceeding with its own.”
BadgerDAO is probing how the thief got through Cloudflare with an API key that was supposed to be protected by two-factor authentication. The attack has not exposed any problem with Blockchain itself, but it did exploit web 2.0 tech that many users use to carry out their transactions.
Speaking of multi-factor authentication, the system is supposed to protect users from phishing attacks, but it has been revealed that some phishing attempts can bypass it.
This is not the first time BadgerDAO is suffering an attack, as it had $53 million stolen in 2016. Neither is it the biggest, as the Poly Network lost $600 million in August, although the loot was returned. Poly Network subsequently offered the hacker a job.
DeFi attacks have been on the rise, with total loss this year up to November 3rd totaling more than $1 billion. AtlasVPN reported that DeFi hacks accounted for more than three-quarters of all hacks in the first seven months of this year.
Reactions have trailed this stealing incident, with some users criticizing the inability to prevent the theft with all the tech at the company’s disposal. “All [the] blockchain / smart contract audits in the world, and people lose 120m to a Cloudflare API leak by a sloppy team where a dude passes a new approval to his contract in the site header – GG – we still have a long way to go.”
It is not clear what is next for the victims as BadgerDAO has yet to comment on it. However, with DAO’s recovery of more than half of the funds stolen this year, it is not impossible for some of the funds involved in this latest heist to be recovered.