(Bloomberg) — Decentralized finance platform BadgerDAO said a flaw in the account creation process of the software company Cloudflare Inc. led to the theft of $130 million in cryptocurrencies earlier this month.
BadgerDAO detailed how the hack took place in a blog post on Thursday, saying a phishing attack that occurred on Dec. 2 was a result of “maliciously injected snippet provided” by Cloudflare Workers, a serverless application platform that runs on its cloud network. The post, which was prepared by BadgerDAO and cybersecurity firm Mandiant Corp., said the Cloudflare flaw had been since been remediated.
BadgerDAO hired Mandiant and blockchain forensic analysis firm Chainalysis Inc. to investigate the breach, according to the blog post.
Asked about the claims, Cloudflare said in a statement that its systems “were not compromised” and that “this has not impacted any other customers.”
“Last week, we were made aware that BadgerDAO experienced an incident,” according to Cloudflare. “We have been in touch with the organization and have provided active support to their investigation.” Cloudflare said there is no vulnerability in its Cloudflare Workers product.
BadgerDAO said more than $9 million in stolen funds are recoverable, as they were transferred by the attacker but not yet withdrawn from the company’s vaults, according to the blog post. The hacker’s identity isn’t publicly known.
BadgerDAO didn’t respond to a request for comment. Mandiant and Chainalysis also declined to comment, citing an ongoing investigation. In a tweet, Chainalysis said the hackers converted the stolen cryptocurrencies to Bitcoin.
In its blog postings, BadgerDAO said it is considering how it may repay the stolen funds, and that the breach has been reported to law enforcement in the U.S. and Canada.
The theft is just the latest in a string of hacks on decentralized finance platforms, which have resulted in hundreds of millions of dollars of losses this year. The theft is the fifth largest decentralized finance hack in terms of losses, according to Rekt News, which maintains a “leaderboard” of compromised organizations
“By the end of July 2021, major crypto thefts, hacks and frauds totaled $681 million,” according to an August report published by blockchain forensics company CipherTrace Inc. DeFi crimes continue to grow, and in the second quarter of this year, criminals netted “new highs in DeFi-related proceeds,” according to the report.
In its blog post describing the hack, BadgerDAO provided screen shots of its internal logs, revealing how a hacker allegedly leveraged a flaw in Cloudflare’s product to inject malicious code into the BadgerDAO application. The blog is unusually detailed, as most organizations that suffer hacks reveal little information.
“Badger appreciates our community’s patience while we figure out how to balance our commitment to transparency with the fact that this is still an ongoing investigation with rapidly changing information,” the blog post said.
Though BadgerDAO says the attack occurred on Dec. 2, “the actual compromise may actually date back to Nov. 20,” according to an analysis by TRM Labs, which helps financial institutions and governments fight crytocurrency fraud, money laundering and financial crime. The hacker intercepted several large customer transactions, with one of them netting more than 900 wrapped Bitcoin — an Ethereum token representing Bitcoin — or roughly $50 million, TRM said. In total, the hacker appears to have stolen more than 2,000 Bitcoin equivalent and 151 Ethers, the blockchain forensics firm said.
“As the various forms of wrapped Bitcoin were diverted to the hacker’s address, they were converted in real-time to renBTC, a tokenized version of Bitcoin on the Ethereum blockchain, then swapped to the Bitcoin blockchain,” TRM said in a recent blog.
More stories like this are available on bloomberg.com
©2021 Bloomberg L.P.