Quick Take

• DeFi protocol BadgerDAO was exploited earlier today for $120 million.


• It appears that its front end was compromised and users were tricked into making unwanted transactions.

DeFi protocol BadgerDAO has fallen victim to a large hack. According to security researchers PeckShield, $120.3 million was stolen from users of the protocol.

BadgerDAO is a DeFi protocol focused on providing yield for bitcoin. The idea is that you bridge your bitcoin over onto a smart contract platform like Ethereum, as wrapped bitcoin, which you can then use within DeFi applications. BadgerDAO provides a variety of vaults where users can park their wrapped bitcoin and earn yields depending on the yield generation strategies used by the vaults.

"Badger has received reports of unauthorized withdrawals of user funds. As Badger engineers investigate this, all smart contracts have been paused to prevent further withdrawals," BadgerDAO tweeted today, confirming the exploit.

PeckShield documented the variety of assets stolen in the hack, which range from tokens like wrapped bitcoin (WBTC) and convex finance (CVX) to more complicated tokens like "ibbtc/sbtcCRV-f." Many of the tokens represent assets held in a vault, meaning they can be redeemed for multiple tokens with varying values — making it harder to total the amount of funds stolen.

One user had around 900 bitcoin ($50.8 million) worth of tokens stolen in a single transaction. Another lost $5 million worth of tokens in one go.

The front end to the BadgerDAO website was reportedly acccessed, according to comments in the project's Discord channel, and used to intercept transactions. One admin said it appears that an API key for Cloudflare was compromised.

While protocols like BadgerDAO are decentralized and can be interacted with directly, it requires specialised knowledge to do so. Most users will use a front end like the BadgerDAO website (although alternative front ends can be used). But this does have an element of risk: if the front end gets comprised, as in this case, then it can lead to loss of funds.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。