The BadgerDAO DeFi protocol team revealed details of the recent hack and reported that during the attack, hackers used the Cloudflare Workers service, which allows deploying scripts in the company’s cloud network.
The developers drew attention to a message that appeared on the Cloudflare forum at the end of September. One of the participants noticed that unauthorized users can register accounts, as well as create and view API tokens that cannot be deleted or deactivated until the verification is completed by email.
After performing these actions, the attacker can wait for verification and completion of account registration, thus gaining access to the API.
After the incident, the BadgerDAO team analyzed the Cloudflare logs and found traces of unauthorized account registration and key generation for three APIs.
In mid-September, the developers “unknowingly completed account registration” for one of the compromised interfaces, which was “used for legitimate Cloudflare management activities.”
“The user interface does not make it clear that the account has already been created, so a key for the API was generated. On November 10, an attacker used API access to inject malicious scripts via Cloudflare Workers into the html file of the app site.badger.com “, — the developers wrote.
The hacker stole assets worth more than $ 130 million, but about $9 million can be returned, since they have not yet been removed from the protocol vaults. Thus, the damage exceeded $121 million.
Assets stolen by a hacker. Data: BadgerDAO.
The project team reported that they had already closed the exploit that made the attack possible, updated the password of the Cloudflare account, and also deleted or updated the API keys.
Since the identity of the hacker has not yet been established, BadgerDAO has engaged the companies Mandiant and Chainalysis to investigate the incident. The developers added that they cooperate with law enforcement agencies of the United States and Canada.
In a conversation with Bloomberg, a Cloudflare representative stressed that the company’s systems “were not hacked,” and there are no vulnerabilities in the Workers service.
“Last week we learned about the BadgerDAO incident. We contacted the project team and actively assisted in the investigation,” he said.
BadgerDAO was hacked on December 2. PeckShield experts estimated the damage at more than $120 million. They also indicated that one of the addresses lost ~900 BTC (more than $50 million at the current exchange rate). A representative of the community on Twitter suggested that the address indicated by analysts is associated with the Celsius Network.
Recall that in September, unknown persons received unauthorized access to Bitcoin.org and they placed a fraudulent announcement on its main page about the distribution of cryptocurrencies. The operator of the Cobra website suggested that the problem could be related to Cloudflare services.