All smart contracts have been paused but users are urged to revoke permissions to the compromised smart contract to avoid any further losses.
The BadgerDAO decentralized finance protocol appears to have suffered from a cyber attack leading to the loss of a reported $10 million at the time of writing.
The attack, which was made public at about 2 a.m. UTC on Dec. 2, targeted the protocol on the Ethereum network at contract address 0x1fcdb04d0c5364fbd92c73ca8af9baa72c269107.
FYI, nasty frontend attack on Badger, looks like ~10m taken out of people’s wallets using rug approval. If you’ve interacted with anything badger related in last few weeks, check and revoke asap https://t.co/vJPMmBZ3af
— Spreek (@spreekaway) December 2, 2021
Users that have interacted with this contract are urged to revoke permission from their wallet.
To revoke permissions of a contract, visit etherscan.com and login with a wallet you believe may be exposed. Although the attack only happened recently, permission for the contract may have been established weeks ago.
The total unconfirmed losses come to about $10.6 million.
The BadgerDAO team has not confirmed the exploit, but it issued a tweet at 4:30 a.m. UTC acknowledging that there have been reports of problems. All smart contracts on BadgerDAO have been paused in an effort to prevent any more potentially malicious withdrawals.
Badger has received reports of unauthorized withdrawals of user funds.
As Badger engineers investigate this, all smart contracts have been paused to prevent further withdrawals.
Our investigation is ongoing and we will release further information as soon as possible.
— ₿adgerDAO (@BadgerDAO) December 2, 2021
Early reports claim that some users received unusual spend requests from the smart contracts on the protocol. It is suspected that these requests were the attack in action through the front-end of the protocol.
Some have revised the value of suspected losses to upward of $100 million, with one user reportedly losing $90 million.
Related: Hackers can use compromised Google Cloud accounts to install mining software in under 30 seconds: Report
On Badger’s official Discord server, core contributor Tritium wrote “It looks like a bunch of users had approvals set for the exploit address allowing it to operate on their vault funds and that was exploited.”
BADGER is down 15% to $22.71 at the time of writing on Coingecko.