Badger DAO, a decentralized autonomous organization (DAO) that enables bitcoin (BTC) to be used as collateral across decentralized finance (DeFi) applications, has fallen victim to an exploit.
It was originally speculated that the project has lost over USD 10m worth of cryptoassets. However, Etherescan transactions suggest that one of the affected users has lost around 897 WBTC (wrapped BTC) (USD 51m), implying that the hack is much bigger than initially thought.
Furthermore, Etherescan transactions show that the hacker has taken WBTC 1,085), 136,000 cvxCRV (Convex CRV), 64,000 veCVX, and other forms of vaulted and synthetic crypto assets from users wallets – pushing the amount stollen over USD 62m.
The Badger team has confirmed the hack, saying that they have “received reports of unauthorized withdrawals” of user funds, and that smart contracts have been paused to stop withdrawals.
Badger has received reports of unauthorized withdrawals of user funds.— ₿adgerDAO 🦡 (@BadgerDAO) December 2, 2021
As Badger engineers investigate this, all smart contracts have been paused to prevent further withdrawals.
Our investigation is ongoing and we will release further information as soon as possible.
Meanwhile, some users speculate that the attacker has been “sneaking in approvals in between legit deposit and reward transactions,” stealing funds for approximately 12 days, adding that it could be a so-called rug pull, when developers abandon a project and run away with investors’ funds.
https://t.co/lZwmUpbgg0 front end/dns was hacked.— napgener CASCADOOOOOR (@napgener) December 2, 2021
User is sneaking in approvals in between legit deposit and reward transactions. He has been stealing funds for approx 12 days so far. Exploit is still live.
short $BADGER to namek
🚨 insider rug alert 🚨 🧸🎯
However, Badger core contributor Tritium said on Discord that some users might have approved the exploit address to operate on their vault funds. “It looks like a bunch of users had approvals set for the exploit address allowing [the address] to operate on their vault funds and that was exploited,” Tritium said.
“Once we noticed we froze all the vaults so nothing can move and are trying to figure out where the approvals came from, how many people have them, and what next steps are,” Tritium added.