DeFi disasters: $31M drained from MonoX and BadgerDAO losses top $120M

Published at: Dec. 3, 2021

More than $150 million has been lost this week in separate security breaches at DeFi projects MonoX and BadgerDAO.

Multi-chain decentralized exchange (DEX) MonoX (MONO) suffered a cyber attack on Nov. 30 leading to about $31 million in losses. BadgerDAO (BADGER) suffered a front-end attack that was discovered on Dec. 2 with estimates of Badger’s losses hitting more than $120 million.

The MonoX DEX platform suffered a single attack on Nov. 30. In this attack, a bug in the smart contract allowed for a discrepancy to exist between prices of assets, when manually changed.

Rekt News explained that hackers were able to inflate the price of MONO via the smart contract, then buy up other assets from the protocol with MONO.

“The hacker created a loop in which the price of tokenOut would overwrite the price of tokenIn, pumping the price of MONO over the course of many 'swaps.'”

The MonoX team confirmed as much in a Nov. 30 tweet. In a postmortem published on Dec. 2, total losses were confirmed at about $31 million. The team added:

"Days like yesterday are horrible, there is no sugar coating the harsh reality of a contract being exploited and people losing money. Our supporters put their faith in a new project like us, and yesterday we let them down."

MONO listed on Huobi only five days before the hack on MonoX.

The Badger security breach was an ongoing threat to users interacting with Badger DAO’s platform rather than a single large exploit.

Discord users began reporting unusual spend requests from the Badger platform and alerted admins on social media and on Discord as early as Nov. 27.

Admin Blackbear responded that the request was unusual, but likely caused by a benign bug in the front-end user interface (UI).

https://twitter.com/0xMoves/status/1466275399944445952

The bug in the UI turned out to be the malicious attacker attempting to steal funds from that user’s withdrawal. The same tactic would be used on random users for days, or even weeks before it was discovered as a security breach.

Related: Hackers can use compromised Google Cloud accounts to install mining software in under 30 seconds: Report

At time of writing, losses from the Badger attack amounted to over $120 million, including 2078.76 BTC, 30.27 ibBTC, and 151.32 ETH, according to blockchain analytics company PeckShield. The Badger team has been investigating the issue and have paused all smart contracts on the protocol to avoid any further losses.

Tags
Related Posts
BSC's Impossible Finance raises $7M for multi-chain DeFi incubator
Impossible Finance, a Defi protocol built on Binance Smart Chain, has completed a $7 million seed funding round backed by over 125 institutional and angel investors — with the funds going towards the development of a multi chain DeFi incubator. The seed round was led by venture capital firm True Ventures, and quantitative investment firm Alameda Research, blockchain development firm Hashed and investment firm CMS Holdings. Impossible Finance was launched on BSC on April 9, and the protocol currently offers DeFi investors token swaps, liquidity pools, and staking rewards through the Impossible Finance (IF) token The new funding will go …
Business / June 4, 2021
Web3 is the solution to Uber’s problem with hackers
Uber is a staple of the gig economy, for better or worse, and a disruptor that once sent shockwaves throughout the mobility space. Now, however, Uber is being taken for a ride. The company is handling a reportedly far-reaching cybersecurity breach. According to the ride-hailing giant, the attacker has not been able to access sensitive user data, or at least, there is no evidence to suggest otherwise. Whether or not sensitive user data was exposed, this case points to a persistent issue with today’s apps. Can we continue to sacrifice our data — and thereby our privacy and security — …
Defi / Oct. 1, 2022
Ankr says ex-employee caused $5M exploit, vows to improve security
A $5 million hack of Ankr protocol on Dec. 1 was caused by a former team member, according to a Dec. 20 announcement from the Ankr team. The ex-employee conducted a “supply chain attack” by putting malicious code into a package of future updates to the team’s internal software. Once this software was updated, the malicious code created a security vulnerability that allowed the attacker to steal the team’s deployer key from the company’s server. After Action Report: Our Findings From the aBNBc Token Exploit We just released a new blog post that goes in-depth about this: https://t.co/fyagjhODNG A pic.twitter.com/d6psUbpxNY …
Defi / Dec. 21, 2022
Raydium announces details of hack, proposes compensation for victims
The team behind the Raydium decentralized exchange (DEX) has announced details as to how the hack of Dec. 16 occurred and offered a proposal to compensate victims. According to an official forum post from the team, the hacker was able to make off with over $2 million in crypto loot by exploiting a vulnerability in the DEX’s smart contracts that allowed entire liquidity pools to be withdrawn by admins, despite existing protections being to prevent such behavior. The team will use its own unlocked tokens to compensate victims who lost Raydium tokens, also known as RAY. However, the developer does …
Defi / Dec. 21, 2022
Crypto exploit losses in January see nearly 93% year-on-year decline
Aside from the bullish crypto market rally in January, there’s been more positive industry news as the month saw a decline in losses from exploits compared to the same time last year. According to data from blockchain security firm PeckShield on Jan. 31, there were $8.8 million in losses from crypto exploits in January. There were 24 exploits over the month, with $2.6 million worth of crypto being sent to mixers such as Tornado Cash. The breakdown of assets sent to mixers includes 1,200 Ether (ETH) and around 2,668 BNB (BNB). The January figures are 92.7% lower than the $121.4 …
Defi / Feb. 1, 2023