Hackers stole $120 million in crypto from a DeFi website on Wednesday night. According to Peckshield, a blockchain security and data analytics startup that is partnering with Badger to investigate the incident, the multiple tokens lost in the attack are valued at roughly $120 million.
Hackers stole $120 million in crypto from a DeFi website
— PeckShield Inc. (@peckshield) December 2, 2021
While the investigation is still ongoing, members of the Badger team have informed customers that they believe the incident was caused by someone inserting a malicious script into their website’s user interface. It would intercept Web3 transactions and insert a request to transfer the victim’s tokens to the attacker’s selected address for any users who interacted with the site while the script was active.
The investigation continues.
Badger has retained data forensics experts Chainalysis to explore the full scale of the incident & authorities in both the US & Canada have been informed & Badger is cooperating fully with external investigations as well as proceeding with its own.
— ₿adgerDAO 🦡 (@BadgerDAO) December 2, 2021
As the transactions are transparent, we can see what happened when the attackers pounced. PeckShield cited one transaction in which the attacker received 896 Bitcoin worth more than $50 million. According to the experts, the malicious code first appeared on November 10th, and the attackers executed it at seemingly random intervals to avoid detection.
Decentralized finance (or DeFi) systems make use of blockchain technology to allow cryptocurrency owners to engage in more typical financial operations like lending and earning interest.”Rest easy knowing you never have to give over the private keys for your crypto, you can withdraw whenever you want, and our strategists are working day and night to put your assets to work,” BadgerDAO offers users. Its protocol enables Bitcoin owners to “bridge” their money to the Ethereum platform via its token, allowing them to take advantage of DeFi opportunities that they would otherwise be unable to access.
After becoming aware of the fraudulent transfers, Badger halted all smart contracts, effectively freezing the platform, and advised users to deny all transactions to the attacker’s addresses.
“We’ve recruited data forensics experts Chainalysis to uncover the entire scope of the issue,” the business announced Thursday night. “Authorities in both the US and Canada have been informed, and Badger is working completely with external investigations as well as progressing with its own.”
Badger is looking into how the attacker allegedly gained access to Cloudflare using an API key that should have been protected by two-factor authentication. While the attack did not uncover any specific faults in Blockchain technology, it did manage to hack the older “web 2.0” technology that most users must employ in order to complete transactions.
Many phishing tactics and mass credential stuffing attacks are protected by multi-factor authentication systems. Despite this, experts have frequently warned about targeted phishing attacks that may be used to get around it, and toolkits to automate the process have been available for years.
In a 2019 FBI alert (pdf), the FBI noted that criminals’ ability to circumvent MFA was expanding, and advised adjustments or training that may make such assaults more difficult to carry out.
Even within traditional banking apps, getting two-factor authentication right may be difficult – just ask PayPal. However, incidents such as this one, as well as the $600 million hijacking of Poly Network in August and the $53 million heists that hit the first DAO ever in 2016, should be enough to elevate security awareness beyond protocols and encryption.
It’s yet unclear how much money will be recovered and how those who have been harmed will be compensated. However, everyone involved in the worlds of crypto, blockchain, and Web3 apps may find it necessary to comprehend how approvals, signing, and transactions work and keep an eye on them in the future. Even when maintained by “one of the most security-minded teams in DeFi,” as Badger describes itself, millions of dollars in holdings might vanish in an instant.
If you find this article informative then do share it with your friends and family!