This Thursday morning (2), DeFI BadgerDAO protocol announced that it was already aware that unauthorized withdrawals of user funds were taking place, causing them to pause all smart contracts to prevent further withdrawals of this type.
Second report of the PeckShield, the total loss was 680 million reais in two cryptocurrencies, Bitcoin and Ethereum. Among this amount are around 2,100 BTC (R$677 million) and 151 ETH (R$3.8 million).
Although these attacks are increasingly common, what caught our attention in this case was the fact that a single user lost 897 BTC, equivalent to 289 million reais. Due to the pseudoanonymity of cryptocurrencies, it is not possible to know who was the victim and the attacker.
Problems started on Wednesday
After noting the movement of funds, one user questioned the BadgerDAO team about a possible hack in progress. He promptly received an answer that, when he doubted it, he replied that everything was all right, stating that it was just a whale moving its funds.
“Is there a hack going on?
“Nah. Just a whale at play. What makes you think it looks like a hack? It’s weird, actually.
About twenty minutes later, after being contacted by private message, the team decided to pause all smart contracts to conduct an investigation, believing that there really might be a problem.
“We paused all our smart contracts. We believe there may be a problem. We are investigating to provide more details shortly.”
With that, the hack was confirmed by the team. Supposedly the victims gave the criminal access to move their tokens. Resulting in a loss of 680 million reais in BTC and ETH, most of which in wrapped BTC, which are bitcoins available in the Ethereum network as a token, backed by bitcoin.
“The front end exploit presented people with a transaction to
for 0x1fcdb04d0c5364fbd92c73ca8af9baa72c269107 to spend their tokens. As people approved this, the attacker waited for a few days and then stole them all a few hours ago.”
Front end exploit presented people a transaction to
for 0x1fcdb04d0c5364fbd92c73ca8af9baa72c269107 to spend their tokens. If people approved that, attacker sat on it for a few days, and then rugged them all a few hours ago.
— Max Block (🏰,🏰) (@fewture) December 2, 2021
A single user lost 897 BTC
Of the BRL 680 million, around 42% belonged to a single user who lost BRL 289 million in bitcoin. The transaction that can be seen by EtherScan shows that the movement of exact 896.85987522 byvWBTC — token on the Ethereum network backed by BTC — occurred at 21:00 GMT.
Due to the pseudo-anonymity of cryptocurrencies, the identities of the victim and attacker remain a mystery. Despite that, the BadgerDAO community seems willing to solve this case, its channel on Discord is full of amateur investigators trying to recover the lost amount.
BadgerDAO’s token price has been down 22% in the last 24 hours, reflecting the concerns of its investors after the attack.