The Badger DAO decentralized finance (DeFi) protocol team revealed details of the recent hack. Also, reported that during the attack, hackers used the Cloudflare Workers service, which allows deploying scripts in the company’s cloud network.
Thus, the developers drew attention to a message that appeared on the Cloudflare forum at the end of September. Moreover, one of the participants noticed that unauthorized users can register accounts. As well as create and view Application Programming Interface (API) tokens; which users cannot delete or deactivate until the email verification is complete.
After performing these actions, the attacker can wait for verification and completion of account registration. Therefore, gaining access to the API.
The hacker stole assets worth more than $130 million
After the incident, the Badger DAO team analyzed the Cloudflare logs and found traces of unauthorized account registration and key generation for three APIs.
Furthermore, the hacker stole assets worth more than $130 million, but they can return about $9 million. Since they have not yet been removed from the protocol vaults. Thus, the damage exceeded $121 million. The project team reported that they had already closed the exploit that made the attack possible; updated the password of the Cloudflare account, and also deleted or updated the API keys.
Since the identity of the hacker is unknown, Badger DAO has engaged the companies Mandiant and Chainalysis to investigate the incident. The developers added that they cooperate with law enforcement agencies of the United States and Canada.
One of addresses lost ~900 BTC
In a conversation with Bloomberg, a Cloudflare representative stressed that the company’s systems “were not hacked,” and there are no vulnerabilities in the Workers service.
Badger DAO suffered a hack on December 2. PeckShield experts estimated the damage at more than $120 million. They also indicated that one of the addresses lost ~900 BTC (more than $50 million at the current exchange rate).
Recall that earlier in September, unknown persons received unauthorized access to Bitcoin.org and they placed a fraudulent announcement on its main page about the distribution of cryptocurrencies. The operator of the Cobra website suggested that the problem could be related to Cloudflare services.