Whelp, I Got Hacked!

Badgers, Bitcoins, and Bad UIs!

So one of my worst fears happened. Getting hacked in a Web3 world, with a very Web2 exploit. So what happened? Well lets just say the words “Increase Allowance” will always make me shudder from this point forward. Apologies to my future children 😭…

Fig 1 — Increase Allowance Method

Fig 2 — The Inputs of the transactions I neglected to read.

As shown above, I approved a transaction that essentially gave permission to the listed wallet under [0]: 1fcdb04d0c5364fbd92c73ca8af9baa72c269107 full spend rights (that arbitrarily large number at the bottom) to my Curve ibBTC/sBTC staked LP tokens (This contract, for those that are curious: https://etherscan.io/address/0xae96ff08771a109dc6650a1bdca62f2d558e40af )

But How?!?!

It all came down to a compromised Cloudflare API Key. Cloudflare defines itself as a product that “secures and ensures the reliability of your external-facing resources such as websites, APIs, and applications”. So you can imagine, getting access to the crown jewels as an attacker is pretty bad for the website owner! What it essentially allowed the hacker to do is inject a script into the UI of badger.com and as you can imagine, that is when this got really ugly.

“The malicious script would interact with the injected web3 provider and intercept any web3 transactions. When it did that, it would search the API for the user’s highest sett balance, and request approval for that sett for the hacker’s address.

They ran this for 1–2 hours, then removed the script, and ran that at random intervals to avoid detection.”

So these folks actually queried to see which one of my deposits was the highest, and took that one? Sheesh, rude! So this meant, whenever a user went to do any transaction on badger.com this approval would sneak itself in there. And the worst part? It was damn effective too!

Update: The full technical post mortem has been released here.

The Impact

The estimated losses are somewhere in the ballpark of 2.1k BTC (0.01% of the total supply of BTC!) and 151ETH. My personal impact was just north of .1% of the total damage, but still very painful! Check out the full summary of the assets taken here:

Thankfully these types of transactions can only give hackers access to a single token in your wallet (other than ETH), so the damage was limited to that single token, for badgers, many of us hold quite a bit of WBTC or ibBTC or their deposited derivatives, so for some, it was a total wipeout.

How Could This Have Been Prevented?

Well, the investigation is ongoing, and the obvious answer is “Well, maybe if Badger had better Cloudflare API key management, eh? Well, yes and no. In fact, the hacker took advantage of several inefficiencies and weaknesses in transaction flow and wallet software that made this attack be able to go on for WEEKS, almost undetected¹.

¹Figure 3 — A community member bringing the issue up with the team, unfortunately getting brushed off.

What Wallets Could Do

1. Wallets should make transaction outcomes human readable. Trezor, Ledger, Metamask, all of them: How many of you swipe through your Trezor that just shows a mess of hex strings and go “Whelp, hope that’s right!”? Unfortunately probably most of us. Whether its through a premium service that allows transaction simulation , or just figuring out a way to decipher the transaction more efficiently for users would be a huge start. Give the right tools to the end user to be judicious with their transactions.
2. Have a reputation system for protocols. If you are connecting to a new smart contract, or one that isn’t run by known protocol? Just throw up a little red box! ezpz, right? Managing that list would be a full time job at first, but could be automated with some rules and API calls to protocols like zapper, etc.
3. Throw up a BIG FAT WARNING when a protocol is requesting infinite permissions to any asset. Yes it can be annoying to re-auth funds every-time you wanna stack your farms, but you know what else is annoying? Having some malware query your wallet and give itself INFINITE ALLOWANCE to whatever ERC-20 token you have the most of, in terms of value, in your wallet.

Fig 4 — What the world should be saying about infinite allowances.

What You Can Do

1. Audit your permissions! Doing occasional housekeeping on your address, especially for those pesky infinite permissions is necessary! Try searching https://debank.com/profile/[YOURADDRESS]/approve to see what all you’ve approved. Some things aren’t entirely obvious what they are either (took me a while to figure out what Project Wyvern was, for example).
2. Slow down. Learn how to read what your transactions are doing. Badger user fewture was able to see something was off by checking the input data and seeing that the approval was requesting was some random address. It may sound like a lot of work, but for wallets containing a lot of funds, take the time. Make sure you are dealing with the correct contract, and be suspicious of any approval request.
3. Use a hardware wallet. Although it wouldn’t have helped in this particular case, too many people are not taking security seriously enough in this space. As a mod in the BAYC server, I’ve seen at least 50 apes/mutants hacked/stolen. Don’t become another statistic. Protect yourself. 90% of those attacks could be prevented with one simple trick: Buying a hardware wallet!

So, What Now?

Well, the investigation is ongoing. If you’d like to follow this exploit’s resolution, check back to https://badger.com/exploit/updates periodically for more. In the mean time, use a hardware wallet, be judicious with your approvals, and stay tuned for my next article about protecting yourself from smart contract risk through wallet separation, cheers!