The $120m Badger DAO Heist: It’s time to talk about wallet hygiene
The dust is yet to settle on an incident in which an estimated $120m has been drained from the wallets of Badger DAO users.
Investigations are still ongoing, but initial reports suggest that hackers added a malicious script to the Badger DAO website coding which intercepted user transactions, asking them to unknowingly allow the attacker to withdraw funds from their wallets.
It appears that the attacker had been running the script intermittently, to prevent detection, since early November and decided to finally strike on Dec 1st, draining some $120m from the wallets of affected users. One victim saw 896 Bitcoin stolen from their wallet — worth over $50m at the time.
Once the attack had been discovered, Badger DAO took swift action freezing their smart contracts to prevent further malicious withdrawals.
You can keep up-to-date on the latest with the ongoing investigation here:
https://twitter.com/BadgerDAO/status/1466535158606086144?s=20
How can I prevent this from happening to me?
If the initial reports on how the attack unfolded are indeed correct, there are steps you can take to ensure that you do not fall victim to similar attacks in future.
- Check all Approval transactions thoroughly before confirming
When you interact with a smart contract for the first time, the first transaction you will be asked to confirm by your wallet will be an ‘approval transaction’. This allows the smart contract to spend funds from your wallet at any time — which is why it’s really important to check the approval details before confirming the transaction
For Metamask users, the approval request will look something like this:
You can edit the approval limit by clicking the ‘Edit’ button — or simply, reject the approval if you are not comfortable with any of the details.
This is the first step to keeping yourself safe!
2. Revoke permissions once you have made your transaction
Whilst you may be convinced that a particular smart contract and its owners may be trustworthy now, your approvals remain in place until they are revoked, so funds in your wallet could be drained years after making a single approval transaction.
Remember, a contract that seems secure now could be hacked further down the line, change hands to a less trustworthy entity, or be a proxy that can change many times over.
That’s why it’s important to revoke any permissions you have granted after each transaction you make.
Revoke.cash (use at your own risk) is a useful tool that allows you to view permissions you’ve granted for your ERC20 wallet, and revoke them. Revoking permissions comes at a relatively small cost (in gas), but ultimately could save you from suffering severe losses.
It’s also worth checking out this excellent Twitter thread by @CryptocatVC which details how to keep your wallet clean
The iTrust team is here to help you navigate the DeFi seas safely — if you have any questions on DeFi security or how to keep yourself safe while interacting with DeFi protocols, feel free to reach out to the team in our Telegram or Discord communities.
About iTrust.finance
iTrust.finance seeks to improve efficiency and usability in the DeFi Market. Maximising cover capacity and accruing token rewards for stakers in the DAO; increasing the overall market value of the underlying insurance protocol.
On launch, iTrust’s unique application will offer a host of yield-maximising staking options for Nexus Mutual ($NXM) holders and crucially, wrapped Nexus Mutual ($wNXM) token holders alike. With other insurance protocols to follow.
Website: https://www.itrust.finance
Telegram: https://t.me/iTrustCommunity
Telegram Announcements: https://t.me/iTrustOfficialAnnouncements
Discord: https://discord.com/invite/7WS4CsmUpy
Twitter: https://twitter.com/iTrustFinance
