How to Derail a 120-Million-Dollar Hack

Article by Forta Network Apr. 14, 2022

The BadgerDAO cryptocurrency heist, in which USD 120 million was stolen from a group of hundreds of people, was the fifth largest theft of crypto assets in 2021 and the eleventh largest ever. This hack—specifically designed to attack Web3 and decentralized networks—revealed that current security measures are not enough. 

Web3 is nascent, and it needs better security practices and tooling before it’s ready for primetime. In cases like the BadgerDAO attack, audits, bug bounties, and a dedicated security team were not enough to stop the hack. To catch the hack in time and mitigate its impact real-time security monitoring was needed.

The Microsoft 365 Defender Research Team describes the situation in greater detail in the article linked here. To explain their conclusions, we’ll take a look at what BadgerDAO is, what a Web3 hack can look like, what ice phishing is, and the simple -but highly effective- solution to this multi decamillion dollar problem. 

BadgerDAO 

BadgerDAO is a decentralized autonomous organization that lets holders of bitcoin earn interest on their cryptocurrency. By using DeFi, Badger’s 31,000 users yield much higher returns than seen in traditional finance. There are three main sources of yield:

  1. Yield Farming: investing in new DeFi startups that give tokens to attract investors
  2. Lending: just like a traditional bank
  3. Providing Liquidity: lending crypto assets to a platform to help with decentralization of trading, for a fee

What makes Badger unique is its Sett Vaults. These are smart contracts that strategically use the three sources of yield to maximize profit and minimize risk. There are several Sett Vaults to choose from, depending on the user’s financial strategies.

Towards the end of November 2021, Badger had around USD 850 million total value locked. Then came the ice phishing attack.

The Attack 

In the most common sort of phishing attack, a fraudster steals private data, like a username and password, and uses that data to steal money. In an ice phishing attack, however, the thief doesn’t need to steal the username or password. The victim is tricked into actions that essentially handed over their tokens. 

As the team at Microsoft describes, the BadgerDAO hacker’s ice phishing scheme went like this: 

– Three weeks before the heist, the hacker began injecting malicious scripts into the front-end software of BadgerDAO. 

– With this malicious software in play, as users signed what appeared to be regular financial transactions, they unknowingly gave the attacker approval to spend their tokens. 

– The hacker silently accumulated approvals from almost 200 accounts, then at 12:48 am on December 2, 2021, the hacker drained the victims’ wallets in under 10 hours.

The Solution 

BadgerDAO’s security measures were top notch: audits by top security firms, bug bounties, and their own team of expert security researchers who review systems daily. BadgerDAO’s users had full control of their data–there was no leak. The users were also vigilant. Some of them reported abnormalities, but to the security team, their concerns looked like user error. All of these security measures failed to detect or prevent the exploit.

According to the Microsoft 365 Defender Research Team, Forta detection bots would have succeeded. 

Forta’s runtime threat monitoring represents a new category of blockchain security. Forta detection bots are an intelligent component that continually monitor blockchain activity. By looking for signs of suspicious activity, a detection bot can sound an alarm before any serious damage is done. With the warning from a detection bot, users can either stop activity with automated response or look at the problem themselves. 

In the BadgerDAO attack, a Forta detection bot would have sounded the alarm before the funds were drained as shown in this timeline:

The first detectable oddity was when a BadgerDAO user gave approval to a person—not a smart contract—to use their tokens. This action might seem suspicious, but maybe not enough to sound the alarm (and technically, the user gave approval to a type of account that is usually used by a person, not necessarily a person, but for now, let’s not be persnickety).

The second oddity was that the potential attacker had conducted relatively few transactions. Someone who only intends to steal would have no need to make transactions that a normal user would make. Again, this behavior is odd, and it could warrant a low level security alert, but it is probably not sufficient for a critical alert.

The third oddity was that the attacker had gathered over 500 approvals to access the tokens in other users’ accounts. For reference, even two of such approvals would have been unusual enough to raise eyebrows.

As these suspicious actions added up, at some point, an alarm should have gone off. This alarm could have issued a command to stop transactions or alerted the user so they could take matters into their own hands.

The Microsoft Defender 365 Research Team created that Forta detection bot and added it to the archive of Forta detection bots on github.  

For a more in-depth technical explanation of how their detection bot works, check out: How Forta could have helped prevent BagderDAO’s 120M hack.

Implementation

The lessons we learned from this ice phishing attack are useless if we do not take action. If you’re a protocol team looking for ways to avoid online threats like the USD 120 million attack on BadgerDAO, reach out to us at info@forta.org.

If you’re a developer interested in writing your own detection bots on Forta, use the Forta Detection Bot SDK to get started!
If you believe in our mission–to ensure the success of Web3 through superior security–let more people know about Forta. Follow Forta on Twitter and Discord and sign up to the newsletter at forta.org.