A front end exploit appears to have been the way in for hackers to drain around $10 million in several cryptocurrencies from the Badger DAO yield vault protocol.
Suspicions were first aroused on Wednesday evening, as some users were reporting that whilst they were claiming their yield farming rewards and otherwise interacting with the protocol, they noticed that their wallets were asking them for extra permissions that they weren't expecting.
This was brought up on the Badger DAO discord, prompting a core contributer to state:
“It looks like a bunch of users had approvals set for the exploit address allowing [the address] to operate on their vault funds and that was exploited. Once we noticed we froze all the vaults so nothing can move and are trying to figure out where the approvals came from, how many people have them, and what next steps are,”
The Badger team also confirmed the exploit on their Twitter account, saying that they were investigating the issue:
Most funds were taken on Wednesday evening, but some observers are saying that the extra permission requests had been happening for weeks before the attack. The following list of assets are those that are believed to have been taken.
The team say that all contracts have now been paused, and have advised that anyone wishing to deposit should use Debank or Unrekt to make sure that any malicious permissions are revoked.
Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.