Image: Ulrich Baumgarten via Getty Images
hacker. False information. Surveillance. CYBER is a podcast on Motherboard, covering the dark side of the Internet.
On Wednesday, an unidentified hacker stole a cryptocurrency allegedly worth US$119 million from a blockchain-based decentralized finance (DeFi) platform.
In a tweet on Wednesday, BadgerDAO (Decentralized Autonomous Organization) wrote that it received “reports of unauthorized withdrawal of user funds.” According to blockchain security company PeckShield, Hackers stole approximately 2,100 BTC (118.5 million U.S. dollars) and 151 ETH (679,000 U.S. dollars) of cryptocurrency tokens.
It is worth noting that this hacking attack did not involve the exploitation of complex smart contract vulnerabilities. On the contrary, this is a front-end attack against BadgerDAO’s web infrastructure, especially its Cloudflare account, which is BadgerDAO’s content delivery network. When using the Metamask wallet to interact with BadgerDAO, the user faces an illegal permission request. Users noticed the attack when they saw their wallets were emptied, and BadgerDAO “suspended” all smart contracts.
Kryptobi said that he is a member of the BadgerDAO support team and has been investigating hacking. He told Motherboard that it seemed that someone had compromised the API key of BadgerDAO’s Cloudflare account and injected a malicious script into the front end of BadgerDAO. Cloudflare is a network infrastructure, content delivery network and website security company, used by millions of websites on the Internet.
Jonto, a core team member of the Badger team, confirmed that this is an entry point for hackers.
“The malicious script basically tricks people into giving address permissions to send tokens to the user’s address,” Jonto told Motherboard in an online chat.
Do you research the vulnerabilities of cryptocurrencies and their networks? We would be happy to hear from you. You can securely contact Lorenzo Franceschi-Bicchierai via Signal, phone +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or send an email to lorenzofb@vice.com
The administrators and developers of BadgerDAO have been conducting damage control in the official Discord channel.
“Everyone is angry and shocked, [sic] What happened,” a person who works at BadgerDAO and is called blackbear wrote on the organization’s official Discord channel, where many people complained about the theft of their cryptocurrency. “The situation is terrible, but I hope we can Learn from it and we will overcome it. Since the launch of Badger, I have been involved in it, and the work done by the team has never disappointed me. “
“Most of my net worth is in Badger. I was also affected by this attack. I was also hit the hardest in my life, and I’m pretty sure that other team members who are most confident in this project were also affected,” Black Bear added. “I understand each of you, this is a major setback.”
Recently, DeFi platforms like BadgerDAO have proliferated. In this fast-growing industry, billions of dollars in losses have been lost heavily due to fraud and hacking. The idea is to create a blockchain-based financial system, especially BadgerDAO is designed as a “bridge” where people can use their Bitcoin and use it equivalently in Ethereum-based DeFi projects by “wrapping” it.
Earlier this year, the crypto lending service CREAM Exploited through complex “flash loans” and lost USD 130 million, A hacker stole about $600 million from the popular platform Poly Network——The money was later refunded in one of the strangest hackers of the year. These are just examples of this year, there are Have Yes many more exist Years ago.
But it is worth noting that the BadgerDAO attack does not seem to target smart contracts or use any clever blockchain techniques. On the contrary, this is an attack on the Badger network infrastructure.
It turns out that the so-called web3 can rely to a large extent on the good old web1 security.
It turns out that the so-called web3 can rely to a large extent on the good old web1 security.
“Supply chain integrity means every link in the chain,” said Dan Guido, founder of Trail of Bits, a cyber security company that specializes in cryptocurrency and smart contract audits. “Badger uses simple and secure tools such as Github and single-page web applications to clearly consider all parts of their development and deployment process. However, the success of supply chain integrity requires perfect and immediate and accurate security monitoring. If Cloudflare finally Responsible for providing content to users, then it requires the same well-thought-out security procedures. IT security is still important, and in many ways more important to blockchain companies.”
BadgerDAO hackers even attracted the attention of mainstream security professionals.
Matthew Green, professor of cryptography and computer science at Johns Hopkins University, wrote on Twitter: “Interestingly, people know very little about computer security. [decentralized applications] ecosystem. It’s as if they are staying in The Shining hotel and they don’t know what happened in Room 237. “
Subscribe to our cybersecurity podcast, The internet. Subscribe Our new Twitch channel.
