On Wednesday, almost $120 million (approximately Rs 899 crore) was stolen from several cryptocurrency wallets on BadgerDAO, a decentralised finance network. BadgerDAO is a DAO that allows Bitcoin to be used as collateral in DeFi applications. Simply, Bitcoin can be used to secure loans. BadgerDAO is based on the Ethereum network and offers vaults for users to keep their Bitcoin in order to receive market-based rewards.
PeckShield, a blockchain data and analytics startup, is helping BadgerDAO investigate the problem. According to a report in The Verge, members of the BadgerDAO team notified customers that they believe the problem was caused by someone injecting a malicious script into their website’s UI.
When visitors interacted with the site while the malicious script was active, it intercepted Web3 transactions and inserted a request for the victim’s tokens to be transferred to the attacker’s selected address. The good news is that, because of the platform’s transparency, everyone can observe what happened when the attackers began their script. According to Peckshield, the attackers received 896 Bitcoins valued more than $50 million (approximately Rs 374 crores) in one transaction.
The malicious script first appeared on the BadgetDAO website on November 10, and the attackers used it at random intervals to prevent discovery. When the BadgerDAO system learned of the problem, it halted all smart contracts, effectively freezing its platform, and instructed users to reject all transactions to the attacker’s address.
“Badger has retained data forensics experts Chainalysis to investigate the full scope of the incident,” the company said in a tweet. “Authorities in both the US and Canada have been informed, and Badger is fully cooperating with external investigations as well as proceeding with its own.” While the attack did not uncover any specific flaws in the Blockchain, they were able to take advantage of the web 2.0 technologies utilised to conduct transactions.
What monies can be recovered and how the affected users will be compensated for their losses are unknown.