4th biggest DeFi problem: Badger DAO loses $ 120 million after frontal attack
The Killing, "Badger" meurt.
$ 120 million of funds have been withdrawn in various wBTC and ERC20 tokens.
The frontline attack caused a major drop on Badger DAO and the fourth loot from the DeFi attack.
rekt.news is more important.
Unauthorized consent means no trust. We know we should never do this on DeFi.
But if the frontend is broken, will the average user see the illegal contracts from the authorized wallet?
An unknown party injects additional confirmation, forcing the user to send the tokens to the attacker's address. As of December 2, 2021 at 12:08:23 AM, protesters used these false beliefs to allow Meimei food.
When Badger reported that the user's address had been cut off, the team reported that smart contract activity had been postponed and bad deals started to expire in two and a half hours.
BadgerDAO's goal is to bring Bitcoin to DeFi. The project will have multiple vaults so that users can benefit from wBTC on Ethereum.
Most of the stolen assets were reported as gold deposits, these tokens have been recovered, BTC bases have reconnected to the Bitcoin network, and all ERC20 tokens remain in Ethereum.
Below is a summary of the current location of the funds stolen for investigation.
Additionally, as with other security holes, rumors suggest that the project's Cloudflare account has been compromised.
When a user makes an escrow and attempts to gain an advantage, these fake credentials occur, creating an unauthorized wallet, allowing the attacker to send tokens linked to BTC directly from the user's address.
According to Peckshield, the first approval of hacker addresses was made almost two weeks ago. Anyone who later interferes with the platform can allow an attacker to steal money.
Over 500 hacker-approved addresses have been reported.
0x1fcdb04d0c5364fbd92c73ca8af9baa72c269107
Confirm your agreement immediately and cancel here.
etherscan.io/tokenapprovalchecker
Industry Example: Sold Out ~ 900 byvWBTC worth over $ 50 million. About 6 hours ago, the victim gave the protester the address of the authorized increase function (), giving him unlimited access to funds.
Finally, due to the "unconventional" function of Badger's transferFrom () function, the team abandoned all operations to avoid further loss of funds.
If long-term campaigns with reputations like Badger are affected in this way, and some of the major DeFi plans will be affected, DeFi users are unsure of the safety of their larger bag. Diversity is the key to survival.
People are often anxious to identify URLs and make sure they are in conflict with the law, but that doesn't help users.
Frontend was rigged at least 12 days ago.
So why isn't Badger warning?
On November 28, the user marked the incredible authorization () of Discord.
Why can't the Badger developers see it?
For power users, these bogus licenses are easy to spot, and you can easily use the contract by copying / pasting your site into Etherscan before signing up for the exchange.
However, if DeFi is to achieve "major adoption," these extra precautions should be simplified.
Until then, you can only use good and prudent wallets.
Scan QR code with WeChat