The BadgerDAO DeFi-protocol team revealed details of the recent hack and said that during the attack hackers used the Cloudflare Workers service, which allows scripts to be deployed in the company’s cloud network.
\n\n
2/
We believe that all remediation decisions should be made as a community with strong consideration for the long term health of the DAO and victims of this incident.
You can review a detailed technical post mortem of the incident below.
— ₿adgerDAO 🦡 (@BadgerDAO) December 10, 2021
The developers drew attention to a message that appeared on Cloudflare’s forum in late September. One participant noted that unauthorized users could register accounts, as well as create and view API tokens that cannot be deleted or deactivated until email verification is completed.
\n\n
By performing these actions, the attacker could wait for verification and completion of the account registration, thereby gaining access to the API.
\n\n
Following the incident, the BadgerDAO team analyzed Cloudflare logs and found traces of unauthorized account registrations and the generation of keys for three API tokens.
\n\n
In mid-September, developers inadvertently completed the registration of an account for one of the compromised interfaces, which \”was used for legitimate Cloudflare administration\” activities.
\n\n
\u201cThe user interface does not indicate that the account has already been created, so an API key was generated. On November 10, the attacker used API access to inject malicious scripts through Cloudflare Workers into the HTML file of the site app.badger.com,\u201d the developers wrote.
\n\n
The hacker stole assets worth more than $130 million, though around $9 million may be recovered since they have not yet been withdrawn from the protocol’s vaults. Thus, the damage totals over $121 million.
\n\n
\n\n
The project team said it has already closed the exploit that made the attack possible, updated the Cloudflare account password, and removed or updated API keys.
\n\n
As the hacker’s identity has not yet been established, BadgerDAO engaged Mandiant and Chainalysis to investigate the incident. The developers added that they are cooperating with law enforcement authorities in the United States and Canada.
\n\n
In an interview with Bloomberg, a Cloudflare spokesperson stressed that the company’s systems were not compromised, and that there are no vulnerabilities in the Workers service.
\n\n
\u201cLast week we learned of the BadgerDAO incident. We contacted the project team and provided active assistance in the investigation,\u201d he said.
\n\n
BadgerDAO was hacked on December 2. PeckShield experts estimated the damage at more than $120 million. They also noted that one of the addresses lost ~900 BTC (more than $50 million at current prices). A community member on Twitter suggested that the address is linked to Celsius Network.
\n\n
Earlier in September, unknown gained unauthorized access to Bitcoin.org and posted a fraudulent cryptocurrency airdrop notice on its homepage. The site operator Cobra suggested that the issue might be related to Cloudflare services.
\n\n
Read ForkLog’s Bitcoin news on our Telegram — cryptocurrency news, prices and analysis.