- Blockchain analysis firm Chainalysis has been hired by BagerDAO to help with the hack on its platform
- BadgerDAO users lost some $120 million worth of cryptocurrency due to a website infiltration
- Chainalysis will try to track the movement of the stolen coins
Blockchain tracing firm Chainalysis has been brought in to track the funds stolen this week in the $120 million BadgerDAO hack. The funds were stolen on Wednesday with the attack seemingly emanating from malicious code added to the BadgerDAO website, but a full post mortem has not yet been forthcoming from the BadgerDao team.
BadgerDAO Hack Drained User Funds
BadgerDAO tweeted on Wednesday that it had “received reports of unauthorized withdrawals of user funds” which turned out to be an understatement – security firm Peckshield reported in the early hours of yesterday that the amount of stolen funds amounted to some $120 million across a number of assets including BTC and ETH.
Unlike other hacks on DeFi protocols which have seen company reserves stolen, the money taken in the BadgerDAO hack was made up of user funds, which is magnitudes more damaging. Indeed, one tweet that soon made the rounds of crypto Twitter alluded to how damaging it might just be:
I thought this shit was decentralized? Wtf? I have over 2.2 million dollars in badgers? Now no remove funds? Wtf? I have my entire@life savings a in badger coins wtf. Now no remove? Wtf?
— 𝒟𝒾𝒶𝓇𝓎 𝑜𝒻 𝒶 𝕽𝖊𝖈𝖑𝖚𝖘𝖊 (@Trader_Recluse) December 2, 2021
Chainalysis Hoping to Track Stolen Funds
Peckshield had more positive news for BadgerDAO users when it tweeted the morning after the hack that it “looks like good progress has been made” without expanding on what that good news might be. BadgerDAO offered an update last night which brought no further information but did reveal the presence of Chainalysis in helping to track down the “passage and ultimate destination of the funds”:
For now, the pause on smart contracts continues in order to prevent further withdrawals. Badger will share further updates as soon as they are available.
— ₿adgerDAO 🦡 (@BadgerDAO) December 2, 2021
While a formal methodology for the hack is yet to be published, BadgerDAO team members have revealed to individual users that they believe the issue came from someone inserting a malicious script in the UI of their website. Any users who interacted with the site when the script was active would lead to interception of Web3 transactions and insert a request to transfer the victim’s tokens to the hacker’s address. The code appeared as early as November 10th, with the attackers apparently running it at seemingly random intervals to avoid detection.
Those affected by the BadgerDAO attack will be waiting with bated breath to see the official report of the hack but more likely waiting to find out if their losses will be honored.