Badger DAO Postmortem

Badger DAO - Attack Post-Mortem

Overview

BadgerDAO, a DeFi protocol for bringing Bitcoin to Ethereum through wrapped BTC vaults, suffered a significant security breach on December 2, 2021.

Financial Impact

• Total Loss: $120 million in various forms of wBTC and ERC20 tokens

• Ranking: Number four on REKT's leaderboard

• Example Loss: One victim lost ~900 byvWBTC (worth over $50M) in a single transaction

Attack Vector: Front-End Compromise

The attacker injected malicious code into Badger's front-end interface that inserted unauthorized token approvals when users performed legitimate actions.

Attack Timeline

• Initial Compromise: Approximately 12 days before the theft (around November 20, 2021)

• Attack Execution: Started 00:00:23 UTC on December 2, 2021

• Duration: Approximately 2 hours 20 minutes before smart contracts were paused

Technical Details

Exploit Mechanism

The malicious front-end presented users with additional approval requests disguised as legitimate transactions for deposits and reward claims. These approvals used the increaseAllowance() function to grant unlimited spending rights to the attacker's address.

Attacker's Address: 0x1fcdb04d0c5364fbd92c73ca8af9baa72c269107

Affected Users: Over 500 addresses approved the attacker's address

Example Transaction

• Hash: 0x951babdddbfbbba81bbbb7991a959d9815e80cc5d9418d10e692f41541029869

• Victim Address: 0x53461e4fddcc1385f1256ae24ce3505be664f249

• Approval Transaction: 0x5e4c7966b0eaddaf63f1c89fc1c4c84812905ea79c6bee9d2ada2d2e5afe1f34 (executed ~6 hours before drainage)

Root Causes

1. Compromised Front-End: Suspected Cloudflare account compromise allowed injection of malicious approval requests

2. Lack of Monitoring: Security team did not investigate a user's warning in Discord about suspicious increaseAllowance() calls

3. User Awareness Gap: Legitimate users cannot realistically identify fraudulent approvals when front-end is compromised

Fund Recovery & Remediation

Immediate Actions

• Smart contract pause activated, halting further losses

• Pause enabled through an "unusual" feature in the transferFrom() function

Recovery Steps

• Stolen assets were converted: vault deposit tokens cashed out, underlying BTC bridged to Bitcoin network, remaining ERC20 tokens liquidated

• Current fund locations tracked by security analysts

User Protection

Users advised to check and revoke approvals at: etherscan.io/tokenapprovalchecker

Lessons Learned

The incident highlights critical vulnerabilities in DeFi infrastructure:

> "Infinite approval means unlimited trust - something which we know we shouldn't do in DeFi"

Key takeaways:

• URL verification cannot protect against compromised front-ends

• Traditional security assumptions fail when presentation layers are compromised

• DeFi mass adoption requires streamlined approval verification mechanisms

• Wallet hygiene and approval management are essential survival practices