Exploit Status Updates

BadgerDAO Technical Post Mortem - Dec 09, 2021, 03:12:38 UTC

On Dec 2 2021, a series of unauthorized transactions occurred, resulting in the loss of funds from Badger users. Following the exploit, Badger engineers worked with cybersecurity firm Mandiant to investigate the incident and believe that an unauthorized API Key allowed a malicious snippet to set user Web3 permission to an attacker wallet.

With the support of Mandiant, Badger has written a thorough technical post mortem detailing the events surrounding last weeks exploit.

Read the full report ➡️ https://badger.com/technical-post-mortem

The Path Forward for Badger - Dec 07, 2021, 19:49:05 UTC

From the moment Badger became aware of the exploit, significant efforts have been made toward rectifying the situation in a safe and timely manner.

The immediate priority for Badger was to stop the exploit by pausing all smart contracts to prevent further loss of funds.

Next, Badger engaged two top cybersecurity firms, to help the investigation and recovery efforts. Chainalysis is performing a blockchain-focused investigation, while Mandiant is looking at the Web2 aspects of the exploit.

The breach was also reported to law enforcement in the U.S. and Canada, and Badger is continuing to cooperate fully with these investigations.

While this is ongoing, Badger is now moving to the recovery phase where efforts will be focused on the following actions, in accordance with Badger’s high standards of community governance:

  1. An in-depth technical post mortem that examines all aspects of the exploit;
  2. A consideration of possible restitution solutions for lost user funds;
  3. A detailed plan to safely restart operations so that users may regain access to funds in Badger smart contracts and
  4. An upgrade to BadgerDAO and/or other technical systems that enable the protocol to minimize the possibility of similar exploits in the future.

In the coming days, Badger will publish more detailed information about these points on badger.com, in our Discord channel, and on the forum.

The remainder of this update outlines Badger’s preliminary technical and governance plans to reactivate the smart contracts and restore any lost governance rights.

Reactivation of Smart Contracts

One of Badger’s top priorities is unpausing smart contracts to resume regular operations of the protocol, but not until the entire frontend architecture has been thoroughly audited by external experts.

Badger is working on a plan to upgrade all vault contracts, which currently intends to:

  1. Disable any interactions by the Badger protocol with the exploiter wallets that hold the stolen funds; and
  2. Redirect any Sett Vault token positions that are currently held by exploiter wallets and have yet to be withdrawn (because the ability to withdraw from Sett Vault positions was paused) to a new multisig wallet with ENS name recovered.badgerdao.eth (0x9faA327AAF1b564B569Cb0Bc0FDAA87052e8d92c).

The code to accomplish the above is currently being developed.  The code and approach is also being assessed by Badger and outside technical and legal reviewers. Subject to these reviews, and once Badger is confident with the approach and changes to the smart contracts' logic, Badger expects to upgrade the vaults accordingly. There is a two-day timelock required for this upgrade to execute. More to come on the specific anticipated upgrade steps when the upgrade is ready.

According to the current plan, once the approach is finalized, Badger expects to initiate a governance vote to approve the reactivation of Badger’s smart contracts. After the vote is concluded, this Snapshot would inform the final decision to be executed, commencing the two-day timelock process.

Governance Next Steps

In summary, subject to the reviews noted above, Badger anticipates the following will occur:

  1. Badger will upgrade certain affected smart contracts to disable any further interaction with or from the malicious exploiter wallets;
  2. Badger will seek to recover stolen Sett Vault tokens from exploiter wallets by re-directing these to the new multisig wallet noted above;
  3. Badger anticipates restoring governance rights to those affected holders who lost the ability to vote (i.e., a loss of position of bBADGER and Badger LP Setts) by providing these holders with sufficient BADGER tokens in order to restore their voting power, based on the weight of their holdings prior to the exploit. The allocated weight will be based on token holder weight positions prior to the exploit (specifically, Badger will use weight positions based on block 13724085, mined on December 2nd); and
  4. Re-activate Badger smart contracts following security testing.

As noted above, a consideration of possible restitution solutions for lost user funds is being actively considered by Badger. Such proposals will be brought forward for Community consideration and will go through the normal Badger governance process (i.e., Requests for feedback (RFF) in Discord, Forum discussion, Snapshot vote, followed by the execution of the Community’s decision).

As always, Badger welcomes feedback from all members of the Community on the path forward.

Badger remains committed to our mission to bring Bitcoin to DeFi and needs your help to ensure that Badger emerges stronger than ever.

Update - Dec 05, 2021, 23:37:44 UTC

The Investigation is ongoing 24/7 to determine full scope of the exploit and take remedial action. Chainalysis and Mandiant continue to work closely with Badger.

Smart Contracts have not yet been reactivated and therefore users remain unable to deposit, claim rewards, or withdraw from either the Badger app (app.badger.com) or at the smart contract level. Badger is working to ensure that the smart contracts can be safely reactivated without further risk to funds.

Badger will continue to provide users with updates as new information is available.

Onchain Message to the Actor - Dec 05, 2021, 03:34:01 UTC

Badgers, an onchain message from 0xDA25ee226E534d868f0Dd8a459536b03fEE9079b has been sent to 0x1FCdb04d0C5364FBd92C73cA8AF9BAA72c269107 & 0x4fbf7701b3078B5bed6F3e64dF3AE09650eE7DE5 to work out a solution.

To the Actor – You have taken funds that do not belong to you but we are willing to work with you and compensate you for identifying this vulnerability in the systems.

We are providing you with a direct line of communication to discuss a peaceful resolution without involving any outside parties. Contact us to discuss further and do the right thing on behalf of the community.

Via email: [email protected] or [email protected]

On Ethereum: 0xDA25ee226E534d868f0Dd8a459536b03fEE9079b

Matrix: @badgerdao:matrix.org

xmpp: [email protected]

To the Community – Please refrain from any offensive actions and instead, please reach out to the following email [email protected] Let’s do our best to stay patient and supportive as a community. Badger will continue to do everything it can.

Be Relentless. Be Badgers.

BadgerDAO Exploit Notice & Recommendations for Users - Dec 04, 2021, 19:21:48 UTC

A recent exploit led some BadgerDAO users to approve a malicious contract that resulted in the loss of funds.

Here is some information on how to tell if your funds are impacted by the exploit.

We will continue to post updates on this matter here.

Current Status of Badger

Upon Badger learning of the attack, all smart contracts have been paused to minimize the risk of further loss of funds.

It is not currently possible to deposit, claim rewards, or withdraw from either the Badger app (app.badger.com) or at the smart contract level. Badger is working to ensure that the smart contracts can be safely reactivated without further risk to funds.

Funds not subject to the exploit remain deposited and continue to earn rewards. Unclaimed user rewards that were accrued prior to the attack are viewable but not claimable in app.badger.com. Smart contracts which harvest the rewards and apply them to user balances are still paused. This means that rewards are currently accruing but are not yet applied to individual user balances. Reward claims will be available when smart contracts are reactivated.

User balances in Sett vaults on app.badger.com are displaying accurately. If your deposits were staked in older Sett Vaults (geysers such as the Uniswap WBTC-Badger LP), visit legacy.badger.finance to see your balance.

How to Tell If You Were Impacted & What To Do

  • Check Etherscan for Unauthorized Transactions. Visit https://etherscan.io/address/[your-address] and check for any ERC-20 transactions out of your account into any unidentified accounts. Many of the unauthorized transactions occurred starting at 05:00 AM UTC on December 02, 2021. If your funds are viewable on Etherscan and app.badger.com as normal, then you were not impacted.

  • Check & Revoke Token Permissions. In this attack, users were prompted to set token permissions to the attacker's address which allowed them to remove funds. At this time, we are encouraging all Badger users to:

    • Check all token approvals here: https://debank.com/profile/[your-address]/approve
    • Search for this address: 0x1fcdb04d0c5364fbd92c73ca8af9baa72c269107
    • Decline this approval
    • Search your permissions and revoke any other unrecognized token approval

Next Steps

Badger is conducting an internal investigation and is working with data forensics experts Chainalysis and Mandiant to understand the scope of the attack and determine the best path forward. Badger is also developing a plan to safely reactivate smart contracts.

Badger is cooperating fully with US and Canadian law enforcement authorities in their investigations and will continue to release further updates as soon as possible.

Update - Dec 04, 2021, 16:46:37 UTC

Badger continues to work closely with forensics experts at Chainalysis and Mandiant, and with law enforcement authorities in the US and Canada, to understand the full scale of the incident and to work towards remedial action.

Concurrently Badger is developing a plan to safely reactivate smart contracts. While a definitive timeline is not currently available, Badger will continue to post further information on this matter as it becomes available.

Update - Dec 02, 2021, 21:00:59 UTC

The investigation continues.

Badger has retained data forensics experts Chainalysis to explore the full scale of the incident and authorities in both the US and Canada have been informed and Badger is cooperating fully with external investigations as well as proceeding with its own.

For now, the pause on smart contracts continues in order to prevent further withdrawals. Badger will share further updates as soon as they are available

Update - Dec 02, 2021, 24:45:27 UTC

Badger has received reports of unauthorized withdrawals of user funds.

As Badger engineers investigate this, all smart contracts have been paused to prevent further withdrawals.

Our investigation is ongoing and we will release further information as soon as possible.