The Tally Newsletter, Issue 54
Welcome back for issue 54 of the Tally Newsletter, a publication focused on all things decentralized governance. We’ll keep you updated on key proposals, procedural changes, newly launched voting systems, shifting power dynamics, and anything else you need to know to be an informed citizen.
This week we cover the recent BadgerDAO token approval and front end exploit, plus quick ecosystem updates!
We also have a small request for our readers - Tally is working to create solutions for DAOs’ greatest challenges. We would greatly appreciate your help filling out this short survey https://bit.ly/3DeFT7Y (the survey closes on December 15) so that we have a better understanding of the DAO problem space.
BadgerDAO Faces Huge Losses From User Interface Exploit
TL;DR: Malicious token approvals added to the BadgerDAO user interface have caused roughly $100 million in losses.
While most defi exploits have centered on faulty smart contracts or oracle issues, yesterday’s BadgerDAO hack represented an uncommon and potentially more troublesome form of attack.
While details are still emerging, it appears that the BadgerDAO front end was taken over by a malicious actor within the past few days or weeks. The attacker was able to add malicious token approval transactions to users’ web interactions, allowing the attacker’s contract to remove tokens or deposits directly from victims’ wallets. Yesterday, the scheme was revealed when the attacker began to execute fraudulent transfers.
While initial reports put losses around $10 million, which is well within the BadgerDAO treasury’s capacity, it now appears that roughly $100 million was taken (including $50 million from a single user).
Front end approval attacks can be particularly troublesome, as unaware users can have assets stolen from their wallet weeks or months later if they unknowingly transfer in more funds. To avoid further losses, any users who have interacted with BargerDAO’s website should use a token approval checker to remove any potential approvals to the malicious contract (0x1fcdb04d0c5364fbd92c73ca8af9baa72c269107).
This mirrors a similar exploit on token approvals to Zapper’s front end, which has continued to cause sporadic user losses even months later. It also bears similarity to the attack on Sushiswap’s Miso auction platform, where the auction recipient address was swapped for an attacker address via a user interface attack.
Because this attack didn’t compromise Badger smart contracts, most defi insurance products would not cover resulting losses. From a user’s perspective, the only way to protect against these attacks is verifying contract addresses and approvals via metamask or hardware wallet prompts. Until this verification process becomes more intuitive and widespread, we’ll likely continue to see these types of UI issues.
In Brief:
Uniswap voting on consensus check poll to offer liquidity incentives on Arbitrum and Optimism L2 platforms:
GFX Labs faces reservations over request for $3 million arranger fee for Fei / Rari merger:
Rari developer t11 releases tool for automatic “no” voting in Compound and OpenZeppelin based DAOs:
OlympusDAO transitions to on-chain governance mechanism gOHM:
OHM fork Lobis receives whitelisting approval to stake FXS within Frax protocol governance, potentially mirroring Convex finance’s influence within Curve:
BasketDAO arranges to close protocol and transition assets to a competitor:
ENS DAO votes in support of supplemental airdrop for users mistakenly left out of token distribution:
Danielle of Wonderland project sells $100 million in AVAX to convert treasury to stablecoins:
Thanks for joining us for Tally Newsletter issue 54. Be sure to check out the Tally governance app and join us on Discord for the latest updates!
Anything we missed? New developments or protocols you’d like to see covered? Drop us a line at newsletter@withtally.com
Best,
Nate, Tally