BadgerDAO Malicious Code Injected
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
BadgerDAO suffered a massive attack on their smart contract hot wallets. In this case, the vulnerability was not inherently in the contract, but they were tricked into adding an additional API connection, which allowed the attacker to inject malicious code. So far, the security of the smart contract has been improved and 40% of funds have been recovered. There are suggestions of other measures to recover the rest.
This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23]
About BadgerDAO
"Earn Interest on Your Bitcoin. BadgerDAO makes it easy to bring your Bitcoin to DeFi and start earning yield today." "BadgerDAO is building the infrastructure to bring Bitcoin to DeFi. We make it easy to bridge your Bitcoin into other blockchains and start earning yield right away."
"BadgerDAO is a decentralized autonomous organization (DAO) run by our users – not VCs, whales, or institutions." "DeFi innovation has paved the way for a number of protocols, including Badger, to offer significant returns. Badger has one of the most security minded teams in DeFi and has pioneered several practices to minimize risk."
"Badger Sett is a yield aggregator product that leverages automated strategies to generate yield for user deposits of various underlying assets. They are non-custodial, transparent, and users can withdraw their assets at any time. The bulk of existing Setts are based on the Yearn Vaults V1 architecture, expanding it with new strategies, a new fee structure, and modifications to the governance of the system."
"BadgerDAO’s smart contracts are regularly audited by top security firms to discover and fix vulnerabilities before launch. Audit reports are linked below."
The Reality
"Please note that audit reports cover specific portions of the BadgerDAO codebase and are done at a snapshot in time. Our code is frequently updated, which could introduce new vulnerabilities."
What Happened
A vulnerability in the Cloudflare API allowed for an attacker to gain access to the BadgerDAO Cloudflare account. This was used to inject malicious scripts into the Badger website.
| Date | Event | Description |
|---|---|---|
| November 20th, 2021 3:06:25 AM MST | Initial Funding Of Exploit Wallet | The exploiter wallet is first funded on the blockchain[24]. |
| December 1st, 2021 5:48:25 PM MST | Blockchain Transfers Start | 204.539433413030539153 BiBTC are transferred from an exploited address to the attacker[25]. |
| December 2nd, 2021 1:14:00 PM MST | Tal Be'ery Technical Analysis | Researcher Tal Be'ery publishes a detailed analysis of the BadgerDAO exploit on Twitter[20]. |
Technical Details
The vulnerability was related to the Cloudflare API for the BadgerDAO website and a sophisticated attacker who was injecting malicious scripts. Select users of the site with large balances would be routinely tricked into authorizing access to other wallets, while users with smaller balances or developers of the protocol wouldn't see any malicious code.[25][26][27]
Unauthorized Cloudflare API Access
"In late September, users on a Cloudflare community support forum reported that unauthorized users were able to create accounts and were also able to create and view (Global) API keys (which cannot be deleted or deactivated) before email verification was completed (see Cloudflare Forum Post). It was noted that an attacker could then wait for the email to be verified, and for the account creation to be completed, and they would then have API access."
"In mid-September, Badger unknowingly completed the account creation for one of these three compromised accounts, which were used for legitimate Cloudflare management activities. The UI did not make it obvious that the account had already been created and an API key was accordingly generated."
Malicious Script Injection Techniques
"On November 10, the attacker began using their API access to inject malicious scripts via Cloudflare Workers into the html of app.badger.com. The script intercepted web3 transactions and prompted users to allow a foreign address approval to operate on ERC-20 tokens in their wallet. On November 20, the first on-chain malicious approval was made for the exploiter wallet."
"The attacker used several anti-detection techniques in their attack. They applied and removed the script periodically over the month of November, often for very short periods of time. The attacker also only targeted wallets over a certain balance, and explicitly avoided targeting listed signers of the Dev Multisig. Finally, the attacker accessed the API from multiple proxy and VPN IP addresses and changed the script on each deployment so they each had a unique hash, rendering static indicators of limited value."
Technical Analysis By Tal Be'ery
Tal Be'ery provided a walkthrough of the exploit[20].
1/ #BadgerDAO hack : Attackers were able to compromise Badger website and inject a malicious javascript to request from Badger users ERC20 approvals for the attackers address.
2/ If the users approved this request via their wallet (e.g. metamask), they had effectively allowed attackers to spend the victims' funds. Here's one from 28.11 (4 days ago)
3/ Yesterday, (1.12) the attackers caught the big fish. A user with $50M approved their malicious request
4/ The attackers decided it's time to monetize and this user was the first one to be exploited (followed by the other victims)
Total Amount Lost
"Here’s the breakdown of affected assets. 2017 BTC (~$113m) 53 DIGG (~3.2m) 26.56 ETH (~0.1m) 730 CVX (~0.018m) The affected assets will be accounted for in BTC and USD at the time of the exploit. BTC is disproportionately the largest asset lost and USD is a recognized global unit of account." "When all affected assets are converted to BTC at the time of the hack this is approximately 2076.54 BTC (~$116.3m USD at time of hack) 2019.37 BTC if DIGG is excluded for consideration by the community for special compensation."
The total amount lost has been estimated at $116,300,000 USD.
Immediate Reactions
"[L]ast week, Celsius Network CEO Alex Masinsky said the crypto lending platform lost $120 million due to the hacking of its decentralized financial platform Badger DAO."
"On Dec 2 2021, a series of unauthorized transactions occurred, resulting in the loss of funds from Badger users. Following the exploit, Badger engineers worked with cybersecurity firm Mandiant to investigate the incident and have prepared the following initial report." "The Badger community raised an alert via Discord about a large, suspicious transaction on December 2." "The attack was noticed by a Community member when approximately 900 BTC were removed from the Yearn wBTC vault."
"This news comes after bad actors hacked BadgerDAO, a decentralized autonomous organization that lets users stake BTC as collateral across DeFi applications. The attack saw the DAO lose $120 million (£90.41). The hack allegedly saw Celsius Network lose over $50 million (£37.67 million) worth of wrapped Bitcoin (wBTC)."
"Badger immediately paused most vault activity within 30 minutes of the alert. A handful of older contracts with a single, inaccessible guardian were paused approximately 15 hours later."
"In partnership with cybersecurity firm Mandiant, Badger prepared a technical document outlining the understanding of how the front end attack happened."
"Badger believes that, as publicly reported, the phishing incident that occurred on 2 Dec, 2021 was the result of a maliciously injected snippet provided by Cloudflare Workers. Cloudflare Workers is an interface to run scripts that operate on and alter web traffic as it flows through Cloudflare proxies. The attacker deployed the worker script via a compromised API key that was created without the knowledge or authorization of Badger engineers. The attacker(s) used this API access to periodically inject malicious code into the Badger application such that it only affected a subset of the user base."
"Per the responses on the Cloudflare forum, the vulnerability appears to have been mitigated around September 29." "Badger is continuing to work with Cloudflare to collect more relevant data, fully scope this incident and assist in their own post-mortem." "Per BIP-33, addresses approved on the guardian contract have the ability to pause contracts. The pausing functionality of these contracts operates in a manner that blocks any deposit, withdrawal, transfer for ERC20 vaults, withdrawals from strategies, and any minting/redeeming of ibBTC until the unpause function is called on them. Unpausing is restricted to the Dev Multisig, which requires governance approval. Eight older strategies and one vault also require a timelock to unpause."
"Per BIP-33, addresses approved on the guardian contract have the ability to pause contracts. The pausing functionality of these contracts operates in a manner that blocks any deposit, withdrawal, transfer for ERC20 vaults, withdrawals from strategies, and any minting/redeeming of ibBTC until the unpause function is called on them. Unpausing is restricted to the Dev Multisig, which requires governance approval. Eight older strategies and one vault also require a timelock to unpause."
"Most contracts were paused by 3:30 AM UTC. Some older vaults, (namely bcrvRenBTC, bcrvSBTC, bcrvTBTC, bBADGER, bharvestcrvRenBTC and buniWbtcBadger) do not have pause functionality on the vault contract. Their strategies were nevertheless paused to prevent withdrawals. At the time Badger engineers were unable to access the guardian account of the bBADGER, bharvestcrvRenBTC and buniWbtcBadger strategies. Further investigation revealed the strategist who helped come up with this smart contract idea also had pausing capabilities, and pausers were eventually able to pause the strategies with the strategist account."
"[T]he last malicious withdrawal from the unpaused vaults occurred at 4:57 AM UTC. All withdrawals that took place after this and until the pausing of the last strategy were conducted by regular users." "It is also worth mentioning that the attacker was able to compromise non-Sett tokens, such as BADGER, wBTC, CVX and cvxCRV, and was able to liquidate them after Badger had enacted the pauses."
Ultimate Outcome
"The Badger Cloudflare account has had the password updated, MFA changed and all API keys either deleted or refreshed where possible."
"Badger is working with Chainalaysis, Mandiant, and the crypto exchanges as well as authorities in the US and Canada to recover any funds possible."
"Following the attack, Badger engineers, together with world class blockchain and Web2 cybersecurity experts Mandiant, conducted a full review of our security practices, looking at everything from the smart contract layer, to the app infrastructure, to how we communicate with and educate users."
"While Badger's smart contracts were not involved in the attack, we are continuing to follow Solidity development best practices, including: Partnering with some of the leading auditing firms to audit code for new functionality and features. A growing working group of security-minded Solidity developers who review new contracts. Each new strategy and vault is peer reviewed by two developers, before being approved by a senior developer. For incremental improvements collaborating on peer-reviews by trusted white hats, emerging contract security-focused DAOs, and public security auditing contests and bounties. Badger’s $750k bug bounty with Immunefi on smart contracts has yet to be claimed, and provides a strong incentive for white hat reporting of vulnerabilities."
"Badger is currently working with cybersecurity firm Halborn to conduct a thorough security audit of our new infrastructure."
"After extensive internal security reviews, upgrades, and the implementation of new safeguards with the support of Mandiant, Badger smart contracts have been safely reactivated."
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
"The BadgerDAO treasury’s non-native assets currently earmarked to be used for long-term operational runway can be used to commit to compensation efforts. This money could be immediately paid to victims either directly or indirectly."
"The non-circulating BADGER currently held by BadgerDAO could be scheduled to be emitted over a fixed timeframe to victims. This program should be evaluated at the end of that chosen timeframe."
"BadgerDAO could create and distribute an accounting token to victims. This would allow BadgerDAO’s team to pursue novel yield farming programs and redirect future yields to victims over a fixed timeframe. This program should be evaluated at the end of that chosen timeframe."
"[S]ome funds were transferred by the exploiter but not yet withdrawn from the Badger vaults." "As per BIP 78, all Recoverable Assets have been returned to the wallets from which they were taken. This represents close to 40% of all affected users." "Harvests will resume shortly and will include awards accrued since pausing. Users who withdraw from a vault position prior to the next harvest cycle will forfeit the accrued rewards from that position."
Ongoing Developments
TBD
Individual Prevention Policies
Individuals need to carefully validate all transactions that are provided to them, even if those transactions originate from a legitimate website which they have requested to access. In addition, individuals should be storing most funds offline, and not using the same wallet for every interaction, to minimize the potential for further impact.
Every approval on Web3 is an opportunity to lose all of the funds present in your wallet. Take the time to review the transaction in full. Fully check over the balance, permissions, and entire address which you are interacting with. Do not trust that your clipboard or any website front-end is guaranteed to provide an accurate address or transaction status. Always perform a test transaction prior to the first high-value transaction in any session.
Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...
Individuals may further avoid risk by preferring services with higher security emphasis and additional validations.
Avoid the use of smart contracts unless necessary. Minimize the level of exposure by removing or withdrawing assets whenever possible. Aim to choose smart contracts which have obtained third party security audits, preferably having been audited by at least three separate reputable firms. Pay attention to the audit reports, which smart contracts are covered, and whether the smart contract has been upgraded or modified since the report. Ensure that any administrative functions with the ability to remove funds from the smart contract are under the authority of a multi-signature wallet which is controlled by at least three separate and reputable entities.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
The Cloudflare vulnerability was missed when Badger was reviewed. All validation focused on the smart contract, and there was limited detailed analysis of their website infrastructure. A more comprehensive analysis would have been much more likely to catch the issue.
All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.
An industry insurance fund can help in selecting validators which will provide more thorough reviews. When issues get missed in a review, they can offer assistance and relief for affected users.
Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
The Cloudflare vulnerability was missed when Badger was reviewed. All validation focused on the smart contract, and there was limited detailed analysis of their website infrastructure. A more comprehensive analysis would have been much more likely to catch the issue.
All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.
An industry insurance fund can help in selecting validators which will provide more thorough reviews. When issues get missed in a review, they can offer assistance and relief for affected users.
Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ BitMart suspends withdrawals after hackers drained almost $200 million in cryptocurrencies using a stolen private key (Dec 23, 2021)
- ↑ BitMart CEO claims stolen private keys led to the $196M hack | Invezz (Dec 23, 2022)
- ↑ Celsius Network Reportedly Lost $50 Million in the $120 Million BadgerDAO Hack (Dec 31, 2022)
- ↑ Building Defi for Bitcoin - Badger (Dec 31, 2022)
- ↑ @BadgerDAO Twitter (Dec 31, 2022)
- ↑ Turning the Lights Back On (Dec 31, 2022)
- ↑ BadgerDAO Exploit Technical Post Mortem (Dec 31, 2022)
- ↑ Badger DAO | Deposit & Earn on your Bitcoin (Dec 31, 2022)
- ↑ Ethereum Transaction Hash (Txhash) Details | Etherscan (Dec 31, 2022)
- ↑ Badger Security Upgrades (Dec 31, 2022)
- ↑ Recovery Phase (Dec 31, 2022)
- ↑ Setts Overview & Fees - Badger Finance (Dec 31, 2022)
- ↑ BadgerDAO Treasury Overview - Google Docs (Dec 31, 2022)
- ↑ Security & Audits (Dec 31, 2022)
- ↑ BadgerDAO hackers stole $120 million in crypto with a simple but effective attack - The Verge (Dec 31, 2022)
- ↑ @peckshield Twitter (Dec 31, 2022)
- ↑ BadgerDAO Reveals Details of How It Was Hacked for $120M (Dec 31, 2022)
- ↑ https://zengo.com/the-badgerdao-hack-what-really-happened-and-why-it-matters/ (Dec 31, 2022)
- ↑ Rekt - Badger - REKT (May 31, 2022)
- ↑ 20.0 20.1 20.2 TalBeerySec - "Yesterday, (1.12) the attackers caught the big fish. A user with $50M approved their malicious request" - Twitter (Jul 22, 2022)
- ↑ Badger DAO Appears to Have Lost Over USD 120M in an Attack (Dec 1, 2022)
- ↑ Santa Hackathon? Visor Finance Marks 7th Hack in December (Dec 1, 2022)
- ↑ Timeline of Cyber Incidents Involving Financial Institutions - Carnegie Endowment for International Peace (Dec 12, 2022)
- ↑ Transfer of 0.041149441378804059 ETH to the Exploiter's Wallet - Etherscan (Sep 28, 2023)
- ↑ 25.0 25.1 Transfer of 204.539433413030539153 BiBTC to the attacker - Etherscan (Sep 28, 2023)
- ↑ Transfer of 172.445055240571417888 BiBTC to the Attacker - Etherscan (Sep 28, 2023)
- ↑ Transfer of 111.029961377265239943 BiBTC to the attacker - Etherscan (Sep 28, 2023)