BadgerDAO Post Mortem Details Fourth-Largest DeFi Exploit

Share Article
In Brief
  • Attacker exploited the front end of the BadgerDAO dApp.

  • User wallets were drained to the tune of $120M.

  • BADGER prices tanked 25% since the attack.

  • promo

    KuCoin Releases KCS whitepaper – a Path for Geek to Mass Adoption Read now!

The Trust Project is an international consortium of news organizations building standards of transparency.

The multi-million dollar exploit of the BadgerDAO protocol has made it the fourth largest ever decentralized finance attack.

On Dec 2 the Bitcoin DeFi protocol BadgerDAO suffered a monumental exploit that resulted in the loss of $120 million. The Rekt blog has delved into the details and carried out a post mortem on what it has labeled “roadkill.”

The attacker exploited the front end of the BadgerDAO decentralized application. According to Rekt, the malicious actor inserted additional approvals to send user tokens to their own address. This hijacked trust was then used to pilfer the loot.

DeFiYield, which has added BadgerDAO to the fourth rank in its exploit list, explained:

Many impacted users alleged that while receiving yield farming rewards and engaging with Badger vaults, their wallet providers prompted them with spurious requests for extra permissions.

Too little, too late for BadgerDAO

BadgerDAO paused the system as the news emerged that wallets were being drained, but two hours and 20 minutes after the attack began, it was too little too late.

Most of the stolen assets were vault deposit tokens which were cashed out using the underlying BTC which backed them.

BadgerDAO offered a number of vaults generating yields on wrapped Bitcoin. Its flagship product was the Sett vault where users can deposit tokenized BTC in the vault to generate an automated yield.

Rekt went on to explain that the approvals appeared when users attempted to make legitimate deposits and reward claim transactions. It added that this resulted in “building a base of unlimited wallet approvals that allowed the attacker to transfer BTC-related tokens directly from the user’s address.”

The first instance of approvals for the hacker’s address was almost two weeks ago, according to Peckshield. Anyone interacting with the platform since then, may have inadvertently approved the attacker to drain funds.

It added that a user flagged the spurious approval on Discord before the attack yet Badger did not investigate.

The ill-fated DeFi protocol now rests behind Cream Finance which lost $130 million in a flash loan exploit, BXH protocol which had private keys compromised resulting in a $140 million loss, and the granddaddy of them all — Poly Network.

BADGER prices tank

Predictably, BADGER prices have been hit hard with a 25% slump since the news broke. At the time of press, BADGER was changing hands for just below $21 according to CoinGecko.

The asset has dumped 76% from its Feb 9 all-time high of $89 and chances of recovery are looking slim.


All the information contained on our website is published in good faith and for general information purposes only. Any action the reader takes upon the information found on our website is strictly at their own risk.
Share Article

Martin has been covering the latest developments on cyber security and infotech for two decades. He has previous trading experience and has been actively covering the blockchain and crypto industry since 2017.

Follow Author

KuCoin Releases KCS whitepaper – a Path for Geek to Mass Adoption      

Read now

KuCoin Releases KCS whitepaper – a Path for Geek to Mass Adoption

Read now

Olympus, a P2E NFT Game Similar to Clash Royale, Is Making Headlines

Read Now