In 2021, the DeFi ecosystem grew by over 20x, attracting millions of investors hoping to get a piece of the action. The rise of DeFi popularity also led to scams and hacks that in 2021 alone resulted in $1.6B+ of stolen funds. During the past few weeks, there was a spike in hacked DeFi projects, including bZx, SnowDog, Monox, and most recently BadgerDAO.
At Redefine, we believe in the DeFi vision and are continuously improving DeFi users’ security. The recent barrage of attacks is setting our industry back and giving it a bad reputation. We must improve the industry security standards to prevent these attacks from happening.
This article sheds light on the BadgerDAO attack and demonstrates the need for a more comprehensive approach to DeFi security.
BadgerDAO, known for its emphasis on security and user safety, has been audited many times and was among the first in DeFi to use a guarded launch strategy. In addition, it partnered with Nexus Mutual to offer insurance with very low premiums, signaling its faith in the platform’s security.
The hacking of a reputable project as BadgerDAO is always a concerning event because it undermines the integrity of the ecosystem and shakes the confidence of investors. Therefore it is important to investigate the attack and learn from it.
On Wednesday, December 1, 2021, BadgerDAO suffered an attack that resulted in the theft of investor funds to the tune of 120 million USD. The attacker transferred funds from multiple users after tricking them into approving a malicious spender. According to PeckShield, which assisted in the postmortem investigation, the first of these approvals occurred as early as November 20 of this year.
It is essential to know how the approve function works to understand the mechanics of the attack. Because of the way ERC-20 (the most common Ethereum token standard) is designed, users can’t just send tokens to a DeFi platform; they must ‘Approve’ the platform to ‘spend’ the tokens on the user’s behalf.
This is done by signing and sending an approve transaction to the designated DeFi platform giving the smart contract permission to act as a ‘spender’ and access a certain number of tokens from a user’s wallet.
This functionality makes it critical to carefully control which contracts are approved as spenders and what amount of tokens are allowed to be spent. The BadgerDAO hack made use of this Approval functionality in order to get the user to sign on a malicious transaction - this is explained in more detail below.
Unlike common attacks on DeFi protocols, this attack did not originate from a smart contract exploit, nor is it related in any way to the project's business logic. The attack on BadgerDAO was executed by exploiting vulnerabilities in the frontend of the dApp.
Frontends are not strictly necessary for interacting with DeFi protocols but are meant to improve the user experience. Most users choose to use the protocol’s web app and frontend rather than write their own code to interact with contracts. This makes the frontend and web app an inseparable part of the DeFi platform and adds to the potential attack surface. Typically, frontends are hosted and served in a traditional “centralized” manner, making them susceptible to traditional web application security risks.
The attackers also used a less common ERC-20 method to request approvals (calling IncreaseAllowance()), presumably to better mask the true purpose of the malicious transaction.
As the Badger team became aware of the attack, they managed to pause the contracts so that no further transfers could be made.
The attacker managed to get away with ~2.1K BTC and 151 ETH.
Currently, the options available for evaluating the safety and security of a DeFi platform before investing, rely heavily on reviewing the smart contract’s source code and professional audits. The BadgerDAO attack demonstrated that these steps are not enough and instead, investors should widen their scope and take into account many different risk factors when evaluating risk. Even the most decentralized DeFi projects usually have centralized components that are vulnerable to classic exploits like phishing, and social engineering.
Redefine’s holistic solution offers multiple layers of security, three of which would have identified the BadgerDao attack in real time and could have protected investors from it. Interested in learning more? Contact us!