Hackers stole an estimated $120 million worth of Bitcoin and Ether assets from Badger, a decentralized finance (DeFi) platform that allows users to borrow, loan, and speculate on cryptocurrency price variations.
An investigation is still ongoing, while members of the Badger team have told users that they believe the issue came from someone inserting a malicious script in the UI of their website.
For any users who interacted with the site when the script was active, it would intercept Web3 transactions and insert a request to transfer the victim’s tokens to the attacker’s chosen address.
Blockchain analysis firm PeckShield, which was the first to notice the heist, claims the hackers managed to steal more than 2,100 Bitcoin and 151 Ether from Badger user accounts before the company shut down its systems. Also, the sum was estimated at $120.3 million at the time of the heist, the security firm said.
The agency revealed that one user lost more than $50 million in a single transaction, as in 896 Bitcoins were transferred from a user’s account to the attackers’ account. Another lost $5 million worth of tokens in one go.
Badger paused all smart contracts and asked users to cancel all transactions to the attacker’s addresses, after it became aware of the unauthorised transfers.
One commenter within Badger’s Discord summed up the situation by saying, “All [the] blockchain / smart contract audits in the world, and people lose 120m to a Cloudflare API leak by a sloppy team where a dude passes a new approval to his contract in the site header – GG – we still have a long way to go.” A member of the team said, “I’m sure we will have some mitigation procedures proposed after this.”
It is still unknown whether the funds can be recovered and how those affected will be made whole, however, people involved in crypto, blockchain, and Web3 apps, should keep an eye on them to learn how approvals, signing, and transactions really work and keep an eye on them.
This should happen when millions of dollars in holdings can disappear in an instant even while managed by “one of the most security minded teams in DeFi, as Badger refers to itself.