BadgerDAO reportedly suffers security breach, losing $120M

BadgerDAO DeFi protocol has paused smart contacts to prevent any withdrawals from their protocol as they investigate the possible security breach.
BadgerDAO DeFi protocol has paused smart contacts to prevent any withdrawals from their protocol as they investigate the possible security breach.

The BadgerDAO decentralized finance protocol appears to have suffered from a cyber attack leading to the loss of $120 million. 

The attack, which was made public at about 2 am UTC on Thursday, targeted the protocol on the Ethereum network at contract address 0x1fcdb04d0c5364fbd92c73ca8af9baa72c269107. 

Users that have interacted with this contract are urged to revoke permission from their wallet. 

To revoke the permissions of a contract, visit etherscan.com and log in with a wallet you believe may be exposed. Although the attack only happened recently, permission for the contract may have been established weeks ago.

The total unconfirmed losses come to about $10.6 million.

The BadgerDAO team has not confirmed the exploit, but it issued a tweet at 4:30 am UTC acknowledging that there had been reports of problems. All smart contracts on BadgerDAO have been paused in an effort to prevent any more potentially malicious withdrawals.

Early reports claim that some users received unusual spend requests from the smart contracts on the protocol. It is suspected that these requests were the attack in action through the front-end of the protocol.

Some have revised the value of suspected losses to upward of $120 million, with one user reportedly losing $90 million.

Related: Hackers can use compromised Google Cloud accounts to install mining software in under 30 seconds: Report

On Badger’s official Discord server, core contributor Tritium wrote “It looks like a bunch of users had approvals set for the exploit address allowing it to operate on their vault funds and that was exploited.” 

BADGER is down 15% to $22.71 at the time of writing on Coingecko.

Headline updated to reflect $120M loss. 12:46am UTC.