The Badger DAO attack was conceptually very different from the more traditional attack we have seen in DeFi. Those traditional ones are aimed at exploiting vulnerabilities in the code of smart contracts of the protocols, otherwise called bugs.
We are familiar with flash loan attacks that use uncollateralized loans across a multitude of protocols to manipulate certain markets and pump-and-dump certain assets. We also know about reentrancy attacks that exploit the logic of execution of functions inside a smart contract. However, the Badger DAO exploit was both more and less ingenious at once.
The attacker who stole liquidity from Badger DAO did not meddle with the smart contract but simply decided to look somewhere where almost no one looks – at the project's web interface.
The malefactor managed to substitute the smart contract address in the web interface of Badger DAO. Therefore, when users were giving permissions to transactions containing their rewards for liquidity provision, they were receiving fraudulent permission requests that eventually allowed the hacker to steal their coins from their wallets.
But due to the fact that those requests did not look different apart from addresses of the smart contracts, many of the users authorised them, eventually suffering losses which ultimately amounted to around 2,100 BTC and 151 ETH as reported by PeckShield.
The first and maybe the most foolproof tactic would be to cross-reference the address of the smart contract character by character across different sources: pages on the website, outside sources mentioning the address of the valid smart contract, including social media channels of the project, maybe the project’s documentation.
If you have suspicions about the nature of the transfer request, you had better decline it because you will not risk losing your funds. You can then contact the project’s support and probably save many others from losing their funds.
A more advanced option is to use the whitelist function of cryptocurrency wallets that allows the user to save and name the valid smart contract addresses that he or she regularly uses.
This way, when an unfamiliar smart contract sends a request for transfer permission, the user will be immediately notified that it is not coming from a smart contract that he or she used before. Speaking of Ethereum wallets, the Metamask wallet, which is the most popular desktop Ethereum wallet, has this function.
Otherwise, such instruments as Unrekt and Debank can be useful for this purpose. They can allow the user to revoke transfer permissions from smart contracts across a range of blockchains. Unrekt supports Ethereum, BSC, Huobi ECO Chain, Fantom, and Polygon; Debank supports the same ones plus Avalanche, xDAI, Okexchain, and some others.
And finally, you can also set automatic permissions only for transactions for specified amounts to additionally protect your coins from theft. In this way, you will only risk the amount specified in the transaction, not the entire liquidity of a certain cryptocurrency or token in your wallet.
We have seen how with the growth of liquidity locked in DeFi’s smart contracts; the hackers have been growing more ingenious with their exploits. It will only be reasonable to expect novel hack tactics from hackers in the future because both the projects will be trying to patch up the exploits that will have been used many times already. New complex blockchain technologies will be emerging on the market that more likely than not will present a new array of vulnerabilities. That might be especially the case with cross-chain projects.
That will certainly present new challenges and business opportunities for blockchain and smart contract auditors. And maybe even more conventional cybersecurity firms will try to enter this niche.
From the user’s perspective, it will always be reasonable to be cautious and keep your head cool. If you sense something is wrong, it will be best to listen to your instincts and double-check things. Anyways, the above-listed tactics of protecting your funds are the ones I would recommend taking on board.