The Tally Newsletter, Issue 54
December 2, 2021
Welcome back for issue 54 of the Tally Newsletter, a publication focused on all things decentralized governance. We’ll keep you updated on key proposals, procedural changes, newly launched voting systems, shifting power dynamics, and anything else you need to know to be an informed citizen.
This week we cover the recent BadgerDAO token approval and front end exploit, plus quick ecosystem updates!
We also have a small request for our readers - Tally is working to create solutions for DAOs’ greatest challenges. We would greatly appreciate your help filling out this short survey https://bit.ly/3DeFT7Y (the survey closes on December 15) so that we have a better understanding of the DAO problem space.
BadgerDAO Faces Huge Losses From User Interface Exploit
TL;DR: Malicious token approvals added to the BadgerDAO user interface have caused roughly $100 million in losses.
While most defi exploits have centered on faulty smart contracts or oracle issues, yesterday’s BadgerDAO hack represented an uncommon and potentially more troublesome form of attack.
While details are still emerging, it appears that the BadgerDAO front end was taken over by a malicious actor within the past few days or weeks. The attacker was able to add malicious token approval transactions to users’ web interactions, allowing the attacker’s contract to remove tokens or deposits directly from victims’ wallets. Yesterday, the scheme was revealed when the attacker began to execute fraudulent transfers.
Max Block (🏰,🏰) @fewtureGo to https://t.co/nXcY9JZBLA or your favorite approvals site and see if you gave approval to 0x1fcdb04d0c5364fbd92c73ca8af9baa72c269107 If so, revoke immediately. It exploit $BADGER
While initial reports put losses around $10 million, which is well within the BadgerDAO treasury’s capacity, it now appears that roughly $100 million was taken (including $50 million from a single user).
Front end approval attacks can be particularly troublesome, as unaware users can have assets stolen from their wallet weeks or months later if they unknowingly transfer in more funds. To avoid further losses, any users who have interacted with BargerDAO’s website should use a token approval checker to remove any potential approvals to the malicious contract (0x1fcdb04d0c5364fbd92c73ca8af9baa72c269107).
Spreek @spreekawayseems $10m was unfortunately too low an estimate, closer to $100m. one person alone lost 896 BTC...
This mirrors a similar exploit on token approvals to Zapper’s front end, which has continued to cause sporadic user losses even months later. It also bears similarity to the attack on Sushiswap’s Miso auction platform, where the auction recipient address was swapped for an attacker address via a user interface attack.
₿adgerDAO 🦡 @BadgerDAOBadger has received reports of unauthorized withdrawals of user funds. As Badger engineers investigate this, all smart contracts have been paused to prevent further withdrawals. Our investigation is ongoing and we will release further information as soon as possible.
Because this attack didn’t compromise Badger smart contracts, most defi insurance products would not cover resulting losses. From a user’s perspective, the only way to protect against these attacks is verifying contract addresses and approvals via metamask or hardware wallet prompts. Until this verification process becomes more intuitive and widespread, we’ll likely continue to see these types of UI issues.
Uniswap voting on consensus check poll to offer liquidity incentives on Arbitrum and Optimism L2 platforms:
GFX Labs faces reservations over request for $3 million arranger fee for Fei / Rari merger:
Rari developer t11 releases tool for automatic “no” voting in Compound and OpenZeppelin based DAOs:
brock🌱 @brockjelmore@transmissions11 i want to get no.eth, get a bunch of people to delegate to me for every protocol and just vote no regardless of the proposal
OlympusDAO transitions to on-chain governance mechanism gOHM:
OHM fork Lobis receives whitelisting approval to stake FXS within Frax protocol governance, potentially mirroring Convex finance’s influence within Curve:
BasketDAO arranges to close protocol and transition assets to a competitor:
ENS DAO votes in support of supplemental airdrop for users mistakenly left out of token distribution:
Danielle of Wonderland project sells $100 million in AVAX to convert treasury to stablecoins:
Anything we missed? New developments or protocols you’d like to see covered? Drop us a line at email@example.com