BadgerDAO users suffer 120M theft. Not for a #smartcontract but for an infected frontend. The criminals managed to get their hands on a DAO API key (Cloudflare). The hacker then managed to modify web3’s interactions, tricking unsuspecting users to approve asset transfers while they genuinely tried to deposit or redeem rewards.
The user was presented with the classic Metamask screen, but the operation was not the one requested by the user, at least it was only a part. Through the use of what is called “Circuit Breaker” it was possible to pause the Smart Contract and limit the damage.
The BadgerDAO team did not confirm the exploit, but they posted a tweet in which they signaled the potential presence of a problem. All badger smart contracts have been frozen in an attempt to prevent further potentially harmful withdrawals.
The first reports of BadgerDAO’s security breach surfaced in early December. On December 1, the protocol officially announced that it had received multiple requests for unauthorized withdrawals of user funds. Badger’s team continued to investigate the issue and suspended all smart contracts on the protocol to prevent further losses.
Although some last-minute experts love to point the finger and be the next day nerd on social media, these hacking confront us with the fact that we are facing a new world that is not yet so equipped to manage certain asset flows. The solution is to mitigate the risks and have emergency strategies, not to create the perfect unassailable code. What is unpredictable is not just the flaw in the code, but human behavior, there is no audit that can prevent them all except a long experience made of defeats.
