BadgerDAO, maker of a decentralized finance (DeFi) protocol, said on Wednesday that it is investigating reports that millions in user funds have been stolen.
“As Badger engineers investigate this, all smart contracts have been paused to prevent further withdrawals,” the company wrote in a Twitter post. “Our investigation is ongoing and we will release further information as soon as possible.”
PeckShield, a blockchain security firm, put the losses at $120.3 million, if translated to fiat currency.
The DAO in BadgerDAO stands for Decentralized Autonomous Organization, which means the company is “run by our users – not VCs, whales, or institutions”. It also perhaps explains its deer-in-the-headlights crisis communication.
The firm makes a product called Sett that lets users deposit crypto assets and loan them out to earn interest or yield. It has disabled withdrawals and deposits until it can sort out the mess.
The Register attempted to contact the firm and one of its software developers but, like many DeFi companies, BadgerDAO doesn’t list a central headquarters or a phone number, nor maintain common communication channels like email. Instead, it directs customers to its Discord channel. No, really. Discord.
Therein, BadgerDAO personnel have attributed the incident to a malicious script injected into their app’s web-based interface. An individual, posting under the name @mitche50 (who we believe to be BadgerDAO developer Andrew Mitchell) has said it appears an API key for Cloudflare was compromised.
“Through this, the hacker was able to create a script, inject the script into custom routes and serve the frontend with the malicious script injected,” mitche50 wrote in a Discord message. “The malicious script would interact with the injected web3 provider and intercept any web3 transactions. When it did that, it would search the API for the user’s highest Sett balance, and request approval for that Sett for the hacker’s address. They ran this for 1–2 hours, then removed the script, and ran that at random intervals to avoid detection.”
The largest loss to an individual is said to be ~900 BTC, which at today’s prices amounts to about $51 million.
Not all of the missing funds are necessarily gone forever. On Thursday, company representatives addressing user concerns on Discord announced that they plan to issue more formal communication about the incident, what can be recovered and what can’t, once they’ve gathered more information.
The company’s website goes on at length about its security practices while teasing the possibility of “returns well in excess of 75 per cent APY” and simultaneously warning that “attacks can still happen resulting in loss of user funds”.
MonoX sounds rather sad that it has come to this. “Days like yesterday are horrible, there is no sugar coating the harsh reality of a contract being exploited and people losing money,” the firm lamented. “Our supporters put their faith in a new project like us, and yesterday we let them down.”
The cause? A “smart contract” bug.
Yes, people still use the term “smart contract” with a straight face, even though they would be laughed out of the room were they to use an equivalent assertion of overconfidence like “my bug-free code,” “my hand-knitted BSL-4 positive pressure suit,” or “my impenetrable self-rolled crypto library”.
“The exploit was caused by a smart contract bug that allows the sold and bought token to be the same,” the biz explained in its post. That doesn’t sound all that “smart”.
The attacker was able to swap MONO tokens with themselves to drive up their value. “The attacker then used the highly priced MONO to purchase all the other assets in our pool and drained the funds,” the company admitted, noting that the attack “was completed through a script, and was highly organized”.
On the bright side, MonoX purchased $1 million worth of insurance, which should soften, ever so slightly, the $31 million loss.
Coincidentally, on Wednesday, finance biz Square, keen to ride the crypto finance wave, changed its name to Block while its Bitcoin subsidiary Square Crypto rebranded itself Spiral. ®