The Tally Newsletter

Share this post

The Tally Newsletter, Issue 54

newsletter.tally.xyz

The Tally Newsletter, Issue 54

December 2, 2021

monetsupply
Dec 2, 2021
Share this post

The Tally Newsletter, Issue 54

newsletter.tally.xyz

Welcome back for issue 54 of the Tally Newsletter, a publication focused on all things decentralized governance. We’ll keep you updated on key proposals, procedural changes, newly launched voting systems, shifting power dynamics, and anything else you need to know to be an informed citizen. 

This week we cover the recent BadgerDAO token approval and front end exploit, plus quick ecosystem updates!

We also have a small request for our readers - Tally is working to create solutions for DAOs’ greatest challenges. We would greatly appreciate your help filling out this short survey https://bit.ly/3DeFT7Y (the survey closes on December 15) so that we have a better understanding of the DAO problem space. 


BadgerDAO Faces Huge Losses From User Interface Exploit

TL;DR: Malicious token approvals added to the BadgerDAO user interface have caused roughly $100 million in losses.

While most defi exploits have centered on faulty smart contracts or oracle issues, yesterday’s BadgerDAO hack represented an uncommon and potentially more troublesome form of attack.

Twitter avatar for @BadgerDAO
₿adgerDAO 🦡 @BadgerDAO
Badger has received reports of unauthorized withdrawals of user funds. As Badger engineers investigate this, all smart contracts have been paused to prevent further withdrawals. Our investigation is ongoing and we will release further information as soon as possible.
4:32 AM ∙ Dec 2, 2021
367Likes149Retweets

While details are still emerging, it appears that the BadgerDAO front end was taken over by a malicious actor within the past few days or weeks. The attacker was able to add malicious token approval transactions to users’ web interactions, allowing the attacker’s contract to remove tokens or deposits directly from victims’ wallets. Yesterday, the scheme was revealed when the attacker began to execute fraudulent transfers.

Twitter avatar for @spreekaway
Spreek @spreekaway
FYI, nasty frontend attack on Badger, looks like ~10m taken out of people's wallets using rug approval. If you've interacted with anything badger related in last few weeks, check and revoke asap
Twitter avatar for @fewture
Max Block (🏰,🏰) @fewture
Go to https://t.co/nXcY9JZBLA or your favorite approvals site and see if you gave approval to 0x1fcdb04d0c5364fbd92c73ca8af9baa72c269107 If so, revoke immediately. It exploit $BADGER
3:58 AM ∙ Dec 2, 2021
247Likes100Retweets

While initial reports put losses around $10 million, which is well within the BadgerDAO treasury’s capacity, it now appears that roughly $100 million was taken (including $50 million from a single user). 

Twitter avatar for @peckshield
PeckShield Inc. @peckshield
One most affected user (w/ the loss of ~900 BTC): 0x53461e4fddcc1385f1256ae24ce3505be664f249. And here is the transfer-out tx: 😭etherscan.io/tx/0x951babddd…
6:32 AM ∙ Dec 2, 2021
124Likes24Retweets

Front end approval attacks can be particularly troublesome, as unaware users can have assets stolen from their wallet weeks or months later if they unknowingly transfer in more funds. To avoid further losses, any users who have interacted with BargerDAO’s website should use a token approval checker to remove any potential approvals to the malicious contract (0x1fcdb04d0c5364fbd92c73ca8af9baa72c269107).

Twitter avatar for @statelayer
state @statelayer
This @BadgerDAO frontend hijack so brutal. The painful part with approvals hack is that losses can continue for a long time when people move funds back to one of their wallets that has the malicious contract approved. :/
Twitter avatar for @spreekaway
Spreek @spreekaway
seems $10m was unfortunately too low an estimate, closer to $100m. one person alone lost 896 BTC...
7:04 AM ∙ Dec 2, 2021
127Likes10Retweets

This mirrors a similar exploit on token approvals to Zapper’s front end, which has continued to cause sporadic user losses even months later. It also bears similarity to the attack on Sushiswap’s Miso auction platform, where the auction recipient address was swapped for an attacker address via a user interface attack.

Twitter avatar for @NexusMutual
Nexus Mutual 🐢 @NexusMutual
🚨 BadgerDAO Loss Event 🚨 We’re waiting for full details from the BadgerDAO team, but this appears to be a frontend attack. If this is confirmed as a frontend attack, BadgerDAO’s smart contracts were not impacted & this would not be a covered event. ⬇️
Twitter avatar for @BadgerDAO
₿adgerDAO 🦡 @BadgerDAO
Badger has received reports of unauthorized withdrawals of user funds. As Badger engineers investigate this, all smart contracts have been paused to prevent further withdrawals. Our investigation is ongoing and we will release further information as soon as possible.
1:16 PM ∙ Dec 2, 2021
107Likes32Retweets

Because this attack didn’t compromise Badger smart contracts, most defi insurance products would not cover resulting losses. From a user’s perspective, the only way to protect against these attacks is verifying contract addresses and approvals via metamask or hardware wallet prompts. Until this verification process becomes more intuitive and widespread, we’ll likely continue to see these types of UI issues.


In Brief: 

  • Uniswap voting on consensus check poll to offer liquidity incentives on Arbitrum and Optimism L2 platforms:

Twitter avatar for @litocoen
zkLito @litocoen
I have re-submitted the proposal for @Uniswap to incentivize liquidity on L2, this time for Stage II of the governance process. As such, the proposal is much more concrete laying out all the details of the liquidity mining such as length, no. of assets and how to reward 👇
3:49 PM ∙ Nov 30, 2021
365Likes84Retweets
  • GFX Labs faces reservations over request for $3 million arranger fee for Fei / Rari merger:

Twitter avatar for @labsGFX
GFX Labs @labsGFX
Here are our answers to several questions we have seen over the last 24 hours. Please continue to post comments/questions/concerns, and we’ll do our best to answer them. tribe.fei.money/t/fei-rari-tok…
forums.rari.capitalFeiRari Token Merge - Rari Governance ForumsThe home for all discussions about governing Rari Capital.
3:29 AM ∙ Dec 1, 2021
1Like1Retweet
  • Rari developer t11 releases tool for automatic “no” voting in Compound and OpenZeppelin based DAOs:

Twitter avatar for @transmissions11
t11s @transmissions11
ok so i built & deployed a contract to do this lol delegate your governance tokens to ✨ voteNo.eth ✨ and they'll only be able to vote NO on gov proposals works with most governance contracts including Uniswap, Compound, and ENS ✌️ etherscan.io/address/voteNo…
Image
Twitter avatar for @brockjelmore
brock🌱 @brockjelmore
@transmissions11 i want to get no.eth, get a bunch of people to delegate to me for every protocol and just vote no regardless of the proposal
4:57 AM ∙ Dec 1, 2021
334Likes40Retweets
  • OlympusDAO transitions to on-chain governance mechanism gOHM:

Twitter avatar for @OlympusDAO
OlympusDAO 🕊 @OlympusDAO
gOHM is live and Proteus is upon us! In preparation for our launch tomorrow on @avalancheavax w/ @traderjoe_xyz We present to you an Olympus thread on what gOHM is, why it’s important for the Olympus ecosystem and how to acquire it. 🧵👇
Image
8:02 PM ∙ Nov 29, 2021
1,413Likes367Retweets
  • OHM fork Lobis receives whitelisting approval to stake FXS within Frax protocol governance, potentially mirroring Convex finance’s influence within Curve:

Twitter avatar for @LobisHQ
LobisHQ @LobisHQ
Lobis is officially the first whitelisted protocol on @fraxfinance 🤝 Together we have also: - established a runway of 300+ days - increased treasury by 300% - sponsored multiple dao initiatives - created a community of 5000 all in the first week. snapshot.org/#/frax.eth/pro…
Image
2:10 PM ∙ Nov 30, 2021
79Likes17Retweets
  • BasketDAO arranges to close protocol and transition assets to a competitor:

Twitter avatar for @BasketDAOOrg
BasketDAO @BasketDAOOrg
1/ A bit of an update. We are currently in talks with another large index protocol about a migration of BDI and BMI tvl, and corresponding compensation for BASK holders.
1:54 PM ∙ Nov 29, 2021
9Likes2Retweets
  • ENS DAO votes in support of supplemental airdrop for users mistakenly left out of token distribution:

Twitter avatar for @nicksdjohnson
nick.eth @nicksdjohnson
Delegates! A new vote is now live on Snapshot for the @ensdomains DAO; this one is a proposal to send an additional ~213k $ENS from the DAO treasury to users who missed out on the 2x multiplier in the airdrop due to an edge case. Go vote!
discuss.ens.domains[EP2] [Executable] Retrospective airdrop for accounts that owned another account’s primary ENS namePlease vote on Snapshot Summary Send 213,049 ENS tokens to a new airdrop contract for users who did not receive the 2x multiplier despite owning a name that was used as a primary ENS name. Abstract One of the criteria used for the ENS airdrop was whether the account had a primary ENS name set. T…
2:45 AM ∙ Dec 1, 2021
365Likes78Retweets
  • Danielle of Wonderland project sells $100 million in AVAX to convert treasury to stablecoins:

Twitter avatar for @danielesesta
Daniele 🧊🧙‍♂️ (🎩, 🎩) @danielesesta
We sold 893k $AVAX via Alameda OTC desk for $100155973 $USDT. 50594 $AVAX on @traderjoe_xyz for 5494523 $USDC 50000 avax on joe for 1181 $ETH . Swapping all stables to $MIM .
4:05 PM ∙ Dec 2, 2021
1,592Likes140Retweets

Thanks for joining us for Tally Newsletter issue 54. Be sure to check out the Tally governance app and join us on Discord for the latest updates!

Anything we missed? New developments or protocols you’d like to see covered? Drop us a line at newsletter@withtally.com 

Best,

Nate, Tally

Share this post

The Tally Newsletter, Issue 54

newsletter.tally.xyz
TopNewCommunity

No posts

Ready for more?

© 2023 Tally
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing