Bitcoin DeFi tool BadgerDAO hit by estimated $120 million hack

Decentralized autonomous organization BadgerDAO recently suffered a major exploit, and according to the current speculation the attack was executed via the DeFi protocols front-end.

Without revealing any details related to the attack, the team confirmed receiving reports of unauthorized withdrawals of user funds on Twitter, announcing it paused all smart contracts in order to halt further damage.

BadgerDAO leverages infrastructure that allows users to bridge their Bitcoin to other blockchains, thus enabling them to use it as collateral for earning yield in DeFi applications (Dapps).

Counting victims

While confirming that they have “received reports of unauthorized withdrawals of user funds,” the Badger team assured they are investigating the issue.

Meanwhile, PackShield listed the funds that were transferred out during the attack on Twitter, revealing brutal losses, crossing $120 million.

According to the blockchain security and data analytics company, one of the most affected users lost roughly 900 Bitcoin.

Front-end hack

Judging by the early user reports, the attack started on late Wednesday/early Thursday, and according to current speculation on the protocol‘s official Discord channel, an API key for Cloudflare was compromised, which allowed the attacker to tamper with Badger’s front-end interface.

“It looks like a bunch of users had approvals set for the exploit address allowing it to operate on their vault funds and that was exploited,” wrote Badger core contributor Tritium on Discord, while clarifying how users were tricked into approving unwanted transactions.

The price of BADGER is down 14% at the time of writing.

The protocol was hit just days before marking a one-year anniversary.