Badger DAO users lose over $120 million: A tragedy caused by the malicious use of "approve" permissions
How should we avoid the malicious use of "approval" permissions?Author: Gu Yu
In past DeFi security incidents, the "approval" permissions of user wallets have often been maliciously exploited. Many DeFi users, attracted by high APYs, approved unlimited token usage permissions on malicious project websites, resulting in their wallet assets being stolen by the project team without their knowledge, leading to significant losses.
Now, well-known protocol Badger DAO users have also become victims. On the morning of December 2, several Badger DAO users first reported asset theft on Discord, and after discussion, it was found that the issue lay with the Badger.com user interface, specifically that the user interface was hacked and malicious wallet requests were implanted, misleading Badger DAO users into approving token usage permissions for malicious addresses, rather than an issue with the project’s smart contracts.
"When users attempt to make legitimate deposit and reward withdrawal transactions, these approvals will appear, establishing an unrestricted wallet approval basis that allows attackers to directly transfer BTC-related tokens from user addresses," stated the well-known security blog site rekt.
According to statistics from security company PeckShield, the total loss for Badger DAO users is approximately 2100 BTC and 151 ETH, equivalent to about $120 million, making it one of the highest theft amounts in DeFi security incidents this year. Among them, a single user lost over 900 BTC.
Badger core contributor Tritium stated on Discord: "It seems a bunch of users have set approvals for malicious attack addresses, allowing that address to use their vault funds and have been exploited."
"Once we noticed the incident, we froze all vaults, so no funds could be moved, and we tried to figure out the source of the approvals, how many people had them, and what the next steps were," he added.
It is understood that BadgerDAO aims to bring Bitcoin into DeFi. The project consists of various vaults for users to earn yields on wrapped BTC on Ethereum. The vast majority of the stolen assets are vault deposit tokens, which the hacker has cashed out and bridged back to the Bitcoin network, while all ERC20 tokens remain on Ethereum.
According to Coindesk, although most of the funds were transferred out on Thursday morning, the malicious permission requests may have been made weeks before the attack. Although the protocol contracts have been paused, community members suggest depositors use tools like Debank and Unrekt to revoke permissions from malicious contracts.
As a result of this news, the Badger DAO token fell over 21% within 24 hours, currently priced at $21.4.
Previously, the Ethereum insurance project Nexus Mutual had integrated the Badger DAO project, allowing users to purchase policies regarding Badger DAO using ETH or DAI on the platform. However, following this attack, the project tweeted that if this is confirmed as a front-end attack, the BadgerDAO smart contracts were not affected, and this would not be an insurance event.
So, how can ordinary users avoid having their "approval" permissions maliciously attacked?
Twitter user @CryptoCatVC pointed out not to trust the website's user interface, suggesting users manually extract the smart contract address from Metamask data and check the contract on Etherscan, to understand whether the contract is new, who deployed it, where the deployer's funds came from, and whether it is a proxy, among other questions.
At the same time, you need to know how many tokens you have approved, and never approve more than you plan to use; you can always approve more later. You should be especially strict with proxy approvals, as this often represents multiple implementations of approvals.
(Feel free to add WeChat ID gnu0101 to join the Chain Catcher group chat)
