Security & Audits
BadgerDAO has one of the most security minded teams in DeFi and has pioneered several practices to minimize risk.
Despite these efforts, using decentralized finance applications – including BadgerDAO – involves risk to your funds.
As a user, interacting with BadgerDAO products is your decision to make after considering your financial position, risk tolerance, and outlook on the various crypto assets involved.
Prior to depositing any funds, we strongly recommend reading this article to better understand the risks of using BadgerDAO, our security strategy, and your options for insurance coverage on your deposits.
BadgerDAO’s Security Strategy
BadgerDAO has developed a five-part strategy to ensure the security of user funds.The pillars of BadgerDAO's security strategy are:
Audits. BadgerDAO’s smart contracts are regularly audited by top security firms to discover and fix vulnerabilities before launch. Audit reports are linked below. Please note that audit reports cover specific portions of the BadgerDAO codebase and are done at a snapshot in time. Our code is frequently updated, which could introduce new vulnerabilities.
- bveAURA (now graviAURA) C4 Audit (Jun, 2022)
- Citadel C4 Audit (Apr, 2022)
- Quantstamp Vaults 1.5 Audit (Jan, 2022)
- ibBTC C4 Audit (Dec, 2021)
- bveCVX C4 Audit (Nov, 2021)
- Quantstamp ibBTC Audit (Aug, 2021)
- DeFiYield.info Core Token & Governance Audit (Feb, 2021)
- Haechi Audit (Jan, 2021)
- Zokyo Audit (Dec, 2020)
Guarded Launch. BadgerDAO was among the first in DeFi to use a guarded launch strategy where new Vaults are capped at a low ceiling for an initial testing period. This allows any bugs to be found and fixed before Vaults are opened to the general public.
Council of White Hats. BadgerDAO works with a team of expert white hat security researchers on a daily basis to review our systems and respond in real time to any vulnerabilities that are discovered.
Bug Bounties. BadgerDAO maintains bug bounty programs through Immunefi and Armor Alliance that pay up to $750,000 for the discovery of critical vulnerabilities. This is one of the most generous bug bounties in DeFi and creates a powerful incentive for bugs to be reported, not exploited.
Insurance. Nexus Mutual is a DeFi insurance protocol that allows users to purchase contracts that pay out if funds are lost due to certain types of smart contract exploit. The cost of coverage for Badger products is currently 2.6%, among the lowest in DeFi, which reflects a favorable appraisal of BadgerDAO’s security practices. BadgerDAO’s integration with Nexus Mutual gives users the option to buy an additional layer of safety for their crypto assets within the BadgerDAO ecosystem.
Risks of Using Badger
Smart Contract Risk
Earning yield with BadgerDAO requires interacting with smart contracts, which can sometimes fail or be prone to attacks. If there's a bug in the code, bad actors may take advantage, leading to a loss of funds.
To reduce this risk, audits are carried out by third parties retained by BadgerDAO and independent security researchers. During audits, experienced software developers review our smart contract code to identify potential security vulnerabilities before launch.
Security audits don’t completely eliminate risk; they simply do a thorough analysis of the code in order to correct design issues, errors and vulnerabilities. Like all work done by humans, problems can be missed.
To add an additional layer of security, BadgerDAO has deployed one of the biggest bug bounty programs in DeFi. This program incentivizes actors to act in a positive manner by offering them a generous reward in return for disclosing any unfound bugs within the smart contracts.
Audits do not eliminate risk, and attacks can still happen resulting in loss of user funds.
The Dev Multisig address maintains contract upgradability rights, can set key parameters to all products, controls the treasury, and manages all permissions.
To reduce the probability of the Dev Multisig address being exploited, 3 out of 5 signers are required to sign a transaction. In addition there is a 48-hour timelock for all key vault system governance and upgrability functions.
BadgerDAO, as outlined in BIP-33, is in a process of moving towards a completely decentralized autonomous organization. This includes multiple changes, especially to team addresses. As those are implemented this page will be updated.
Some yield-earning strategies within Vaults use smart contracts from third party platforms. Each strategy has a unique risk profile depending on what contracts and tokens it interacts with. To minimize this, Badger DAO only seeks out trusted DeFi platforms with a strong reputation in order to ensure the safety of user funds.
Crypto assets deposited into Vaults, Badger native assets (eg. BADGER and DIGG), and third party tokens issued as rewards to BadgerDAO users (eg. xSUSHI and CVX) are volatile and subject to market fluctuations. Assets that attempt to maintain a 1:1 peg with other assets (eg. DIGG to BTC or ibBTC to BTC) may fail to achieve their peg due to market conditions or smart contract failure.
Impermanent Loss Risk
Some Vaults require users to deposit Liquidity Provider (LP) tokens to receive rewards. LP tokens are obtained by depositing equal value amounts of two crypto assets into a smart contract that allows other users to swap between assets in the pair. Providing liquidity exposes users to loss when the two assets diverge in price. Users can suffer losses if the rewards paid for providing liquidity do not compensate for the impermanent loss caused by asset price divergence.
Self Custody Risk
To interact with BadgerDAO, users must hold their own crypto asset private keys. Properly securing the private keys to your crypto involves some degree of technical skill. Mistakes such as losing your private keys, sending crypto to the wrong address, installing malware, or falling victim to a phishing attack can result in the permanent loss of your funds. Even very experienced crypto users have made these mistakes. Before self custodying assets, users should familiarize themselves with crypto security best practices and understand the risks involved.
Dec 2021 Exploit
On Dec 2 2021, a series of unauthorized transactions occurred, resulting in the loss of funds from Badger users. Following the exploit, Badger engineers worked with cybersecurity firm Mandiant to investigate the incident and have prepared the following initial report.