In December 2021, DeFi app BadgerDAO was the victim of a hack.  The attackers stole approximately $120 million in tokens, making this one of the top five largest DeFi hacks to date.

Inside the Attack

Unlike many DeFi hacks, the BadgerDAO hack didn’t involve a flash loan attack or exploit a vulnerability in the project’s smart contracts.  Instead, the attacker took advantage of security issues in the protocol’s front-end.

The hack likely started with a compromised API key for the project’s Cloudflare account.  This allowed the attacker to inject a malicious script into custom routes.

The attacker’s malicious script was triggered when users attempted to perform transactions on BadgerDAO.  The script included additional unlimited spend approvals for the attacker’s address.  Once these approvals were in place, the attacker could perform transactions that sent tokens from their wallet to the attacker’s account.

The attacker managed to get 500 wallets to create these unlimited approvals and stole about $120 million in tokens from users.  The attack was halted by the Badger team, who exercised the power to freeze all calls to the transferFrom function, blocking further thefts.

Lessons Learned From the Attack

The BadgerDao hack demonstrates the importance of a comprehensive approach to DeFi security.  From the perspective of the project’s smart contracts, nothing had gone wrong, and the attacker was just using the approvals granted by users.  The real problem was in the front-end where the attacker was able to insert malicious functionality into Badger’s site.

DeFi needs security audits that look beyond smart contract code, and project’s security policies should include protection for critical data like API keys.  On the user side, it’s important to never authorize infinite approvals, especially for unknown addresses.

Rob Behnke
12.08.2021