A decentralized finance (DeFi) mainstay is the latest to fall victim to a hack, with $10 million in various cryptocurrencies being stolen from the BadgerDAO yield vault protocol.
Users first reported possible problems in the protocol’s Discord at 9 pm EST Wednesday night.
Current speculation in community channels is that the hack is the result of an exploit in the Badger.com user interface, and not in the core protocol contracts. Many affected users report that while claiming yield farming rewards and interacting with Badger vaults, they noticed their wallet providers prompting spurious requests for additional permissions.
“It looks like a bunch of users had approvals set for the exploit address allowing [the address] to operate on their vault funds and that was exploited,” wrote Badger core contributor Tritium on Discord.
“Once we noticed we froze all the vaults so nothing can move and are trying to figure out where the approvals came from, how many people have them, and what next steps are,” he added.
The team also confirmed the exploit on Twitter:
Badger has received reports of unauthorized withdrawals of user funds.
As Badger engineers investigate this, all smart contracts have been paused to prevent further withdrawals.
Our investigation is ongoing and we will release further information as soon as possible.
— ₿adgerDAO 🦡 (@BadgerDAO) December 2, 2021
A Badger representative did not respond to a request for comment by the time of publication.
Observers say the hacker has taken 185 WBTC,136,000 cvxCRV, 64,000 veCVX, and various forms of vaulted and synthetic bitcoin from affected wallets worth over $10 million. While the bulk of the funds were drained Wednesday night, the malicious permission requests may have been made weeks prior to the attack.
Though the contracts are paused, community members are advising that depositors use tools like Debank and Unrekt to revoke permissions for the malicious contract.
At the time of writing BadgerDAO’s BADGER is down 6.9% on the day to $24.80 per token.
This is a developing story and will be updated.