Badger DAO Protocol's $120 Million Exploit

2021 has seen an increase in Decentralised Finance (DeFi) projects getting hacked. In fact, according to Atlas VPN, DeFi projects may account for 76% of all major hacks in 2021. DeFi projects are often targeted for good reason – they usually start off with a group of crypto-enthusiasts coming together to materialise a project, and like most businesses, security usually is not at the forefront of their minds when designing the projects.

According to researchers from PeckShield, around 120M USD was stolen from users of BadgerDAO in early December 2021 via a security exploit. BadgerDAO is a platform that focuses on providing users with yields for staking their Bitcoin with the platform. According to BadgerDAO, they hold around 240M USD in their treasury holdings, and currently have close to 31,000 users. Users can store their Bitcoin with one of their 40+ vaults, and earn varying levels of yields depending on the yield generation strategy used by these vaults.

BadgerDAO is one of the many up-and-coming projects that are involved with building a community of developers, content creators and users via a DeFi application, and has positioned themselves as one of the most security minded teams within the DeFi space.

What is it?

Investigations about the hack are currently ongoing, but the members of the Badger team told users that they believed the issue came from someone inserting a malicious script in the User Interface of their website. Users who accessed the website when the script was active would alter the destination address of funds to that of the attacker’s chosen address, instead of the original ones.

There are two important points to note in this attack – the fundamental blockchain technology that BadgerDAO was built on is not compromised, and that the attack was carried out via the front-end of the application.

Badger Security and Audit

On their website, the Badger team acknowledges the security risks of using their platform, and their five-part security strategy to mitigate these security risks. Audits are conducted regularly, and new launches of vaults are capped for a testing period to identify bugs in the systems and protocol before they are released to the general public.

Despite this, the Badger team also acknowledges that audit reports only cover limited parts of their codebase and are a snapshot of their codes in a point of time at best. With every subsequent updating of their codes, new vulnerabilities may be introduced.

Are Audits Alone Sufficient?

Security audits have always been challenging. With limited security manpower and a non-exhaustive list of checks, audits can vary greatly in terms of the ability to identify vulnerabilities. Unfortunately, this means that audits are necessary but no longer sufficient to secure your code. To make matters worse, software builds and releases now happen multiple times a day - rendering any point in time audit obsolete in a matter of days if not hours.

In recent years, development and security teams have been bridging the disconnect between application security and development. While there are a variety of tools out in the market that claim to be able to do Application Security Testing (AST Tools), most can be distilled to one of three categories – Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Software Composition Analysis (SCA).

SAST, DAST and SCA work in a complementary manner to allow your teams to automate security testing with the right configurations. This enables developers and security teams to monitor and evaluate the vulnerabilities throughout the development lifecycle, instead of relying on manual efforts to identify vulnerabilities at the end.

Your Software Supply Chain

In the case of BadgerDAO, it is the front-end of the website that was written in Javascript that was vulnerable and exploited – and not the core technology of the product offering. Although investigations are ongoing, it suffices to say that every one of the building blocks of your software needs to be secured.

Securing your software supply chain is critical. With a growing dependency on commercial, vendored and inhouse software, organizations must find a way to run automated, continuous security checks to ensure that they find and fix application-level vulnerabilities before their adversaries can.