Badger DAO, a decentralized autonomous organization (DAO) that enables bitcoin (BTC) to be used as collateral across decentralized finance (DeFi) applications, has fallen victim to an exploit.
It was originally speculated that the project has lost over USD 10m worth of cryptoassets. However, Etherescan transactions suggest that one of the affected users has lost around 897 WBTC (wrapped BTC) (USD 51m), implying that the hack is much bigger than initially thought.
Furthermore, Etherescan transactions show that the hacker has taken WBTC 1,085), 136,000 cvxCRV (Convex CRV), 64,000 veCVX, and other forms of vaulted and synthetic crypto assets from users wallets – pushing the amount stollen over USD 62m.
However, upon further research, blockchain analytics and security firm PeckShield argued that the total amount lost in this hack is a whopping USD 120.29m. This includes a significant amount of bitcoin and ethereum: BTC 2,100 and ETH 151, per their calculations.The company also provided a list of addresses as the stolen funds’ “current whereabouts.”
BadgerDAO has not denied or confirmed this information by the time of writing. Per their latest updates, they are continuing the investigation.
“Badger has retained data forensics experts Chainalysis to explore the full scale of the incident & authorities in both the US & Canada have been informed & Badger is cooperating fully with external investigations as well as proceeding with its own,” said a tweet.
Meanwhile, per some Twitter users, as well as those on Reddit, the one person/entity that lost nearly 897 Badger WBTC – currently worth USD 50.39m – to the exploiter was none other than Celsius Network (CEL). The reason behind the conclusion that “this address is owned by Celsius” is that “it has interacted with other addresses known to be owned by them.” The users continued to provide a list of addresses that are allegedly connected to Celsius and have interacted with each other – but the Redditor also emphasized that this is just speculation.
Cryptonews.com has reached out to Celsius for a comment.
On Thursday, the Badger team has confirmed the hack, saying that they have “received reports of unauthorized withdrawals” of user funds, and that smart contracts have been paused to stop withdrawals.
Meanwhile, some users speculate that the attacker has been “sneaking in approvals in between legit deposit and reward transactions,” stealing funds for approximately 12 days, adding that it could be a so-called rug pull, when developers abandon a project and run away with investors’ funds.
However, Badger core contributor Tritium said on Discord that some users might have approved the exploit address to operate on their vault funds. “It looks like a bunch of users had approvals set for the exploit address allowing [the address] to operate on their vault funds and that was exploited,” Tritium said.
“Once we noticed we froze all the vaults so nothing can move and are trying to figure out where the approvals came from, how many people have them, and what next steps are,” Tritium added.
– MonoX Team Confirms Exploit, USD 30M+ Might Be Stolen
– AnubisDAO Points at ‘Critical Mistake’ After Losing USD 60M of Investors Money
– Cream Finance Suffers Another Exploit as Attacker Runs Away With USD 100M+
– Vee Finance Reports an USD 36M Exploit, VEE Takes a Dive
– SushiSwap’s MISO Suffers USD 3M Attack, Contract Thefts May Rise
– A Tale of Two Hacks: Poly Hacker Bows Out, Liquid to Restore Operations
(Updated on December 3, at 15:46 UTC with additional details and comments.)