BadgerDAO, the maker of the Decentralized Finance (DeFi) protocol, said on Wednesday that it is investigating reports that millions of users’ funds have been stolen.
The company wrote: “As Badger engineers investigate this, all smart contracts have been suspended to prevent further withdrawals.” A twitter post“Our investigation is ongoing and we will release more information as soon as possible.”
Blockchain security company PeckShield puts the loss on $120.3 million, If converted to legal tender.
The DAO in BadgerDAO stands for Decentralized Autonomous Organization, which means that the company is “operated by our users – not venture capital, whales, or institutions”. This may also explain its crisis communication in front of the car lights.
The product produced by this company is called put This allows users to deposit encrypted assets and lend them to earn interest or income. It has disabled withdrawals and deposits until it can solve this mess.
Register Attempts to contact the company and one of its software developers, but like many DeFi companies, BadgerDAO does not list a central headquarters or phone number, and does not maintain general communication channels such as e-mail. Instead, it directs customers to its Discord channel. not completely. Discordant.
Among them, BadgerDAO personnel attributed this incident to a malicious script injected into the web-based interface of its application.An individual who posts in the name of @mitche50 (we think he is a BadgerDAO developer Andrew Mitchell) Means Cloudflare’s API key seems to have been leaked.
“Through this, hackers can create a script, inject the script into a custom route, and use the injected malicious script to serve the front end,” mitche50 wrote in a Discord message. “The malicious script interacts with the injected web3 provider and intercepts any web3 transactions. When it does, it searches the API for the user’s highest Sett balance and requests approval of the Sett to obtain the hacker’s address. They run 1-2 hours, then delete the script and run it at random intervals to avoid detection.”
It is said that the maximum personal loss is about 900 BTC, which is equivalent to today’s price Approximately 51 million U.S. dollars.
Not all lost funds will disappear forever. On Thursday, representatives of the company that addressed users’ concerns about Discord announced that once they gather more information, they plan to issue a more formal communication about the incident, which can be restored, and which cannot be restored.
Long story on company website About its safety practices At the same time, it laughed at the possibility of “return rate far exceeding 75% APY”, and warned that “attacks may still occur, resulting in the loss of user funds.”
at the same time, Single X, Which describes itself as “the most capital-efficient service provider in DeFi” and revealed on Medium on Wednesday that it has Was hacked for 31 million U.S. dollars.
MonoX has reached this point, which sounds sad. “Days like yesterday are terrible, the harsh reality of contract exploitation and people losing money has no sugar coating,” the company exclaimed. “Our supporters are full of confidence in a new project like ours. We let them down yesterday.”
reason? “Smart Contract” Loopholes.
clever?
Yes, people still use the term “smart contract” with a straight face, even if they will be laughed out of the room, if they use things like “my error-free code”, “my hand-coded BSL-4 Positive pressure suit” or “self-rolling encryption library that I can’t understand”.
The company explained in its post: “The vulnerability is caused by a smart contract vulnerability that allows the same tokens to be bought and sold.” This doesn’t sound so “smart”.
Attackers can exchange MONO tokens with themselves to increase their value. “The attacker then used the high price of MONO to purchase all other assets in our pool and ran out of funds,” the company admitted, noting that the attack “was done through scripts and was highly organized.”
On the bright side, MonoX purchased $1 million worth of insurance, which should slightly ease the loss of $31 million.
Coincidentally, on Wednesday, the financial commercial plaza, keen to ride the wind and waves, Renamed to Block And its Bitcoin subsidiary Square Crypto changed its name to Spiral. ®
