Dose of DeFi

Share this post
Badger's front-end exploit, average DEX trade size increases
doseofdefi.substack.com

Badger's front-end exploit, average DEX trade size increases

Plus Odds & Ends and Thoughts & Prognostications

Chris Powers
Dec 3, 2021
1
Share this post
Badger's front-end exploit, average DEX trade size increases
doseofdefi.substack.com

Tweet of the Week: New attack vector

Twitter avatar for @NexusMutualNexus Mutual 🐢 @NexusMutual
🚨 BadgerDAO Loss Event 🚨 We’re waiting for full details from the BadgerDAO team, but this appears to be a frontend attack. If this is confirmed as a frontend attack, BadgerDAO’s smart contracts were not impacted & this would not be a covered event. ⬇️

₿adgerDAO 🦡 @BadgerDAO

Badger has received reports of unauthorized withdrawals of user funds. As Badger engineers investigate this, all smart contracts have been paused to prevent further withdrawals. Our investigation is ongoing and we will release further information as soon as possible.

December 2nd 2021

37 Retweets139 Likes

Another big DeFi hack, this one draining the vaults of Bitcoin on DeFi aggregator BadgerDAO to the tune of $120m. The tweet above from on-chain insurance provider, Nexus Mutual, highlights the unique nature of the attack. There appears to be no exploit at the smart contract layer. Instead, hackers inserted malicious code into the front-end of the Badger app. With this compromised front-end, Badger users unknowingly approved token allowances that enabled the hacker to drain their funds.

As Martin Koeppelman points out, the issue is “Yolo signing”. Even with a hardware wallet, it’s hard to parse the specific tx details being approved. In this case, Badger users probably thought they were interacting with approved Badger smart contracts, not realizing that they were signing transactions that gave hackers access to their tokens. Badger announced that it ‘paused’ the contracts to prevent any withdrawals. Handy feature…

This is a tough problem without easy solutions, how to provide verifiable, human-readable transaction info before signing? Likely good news for Grid+’s Lattice hardware wallet, which is probably the furtherest along in this regard. CryptoCat has a rundown of good MetaMask hygiene in light of the Badger exploit.

Tweet of the Week: Whale life on Ethereum

Source: Kaiko via CoinDesk

Stubbornly high gas prices on mainnet has led some to ‘abandon Ethereum’, but DEX’s on Ethereum still saw $100bn in volume in November - the highest monthly total since April. Instead, as the chart from Kaiko suggests, smaller traders are fleeing Ethereum, but whales are still active. The CoinDesk article featuring this chart also shows how the average trade size for DEX transactions on Ethereum has skyrocketed. Curve’s average transaction is over $500k.

The other interesting thing in regards to DEX volume is how difficult it is to compare volumes as DEX’s move across chains. Most data dashboards only include Ethereum, but PancakeSwap, dYdX and others have billions of dollars of volume but it can be difficult to track. Token Terminal’s `Exchange Trading vol.` is the best that I’ve found.

Odds and Ends

  • DXdao* introduces Carrot, a platform for programmable incentives Link

  • Fei and Rari discuss token merger and protocol integration Link

  • Bancor launches v3 Link

  • EIP-4488 would reduce the cost overhead for rollups Link

  • Instadapp introduces cross-chain refinancing Link

  • Gnosis set to acquire xDai chain, rebrand as ‘Gnosis Chain’ Link

  • Tornado Cash reveals plans to deploy to Arbitrum Link

Thoughts and Prognostications

  • Messari’s 2022 Crypto Theses [Messari]

  • How The Merge impacts Ethereum’s application layer [Tim Beiko/Ethereum Foundation]

  • Do Ethereum gas fees vary by time and day of week? [Kyle Waters & Nate Maddrey/Coin Metrics]

  • Could the shift to PoS eliminate MEV? [Haseeb Qureshi/Dragonfly]

  • A Normie’s Guide to Becoming a Crypto Person [Sara Harrison/New York]

  • The biggest product design challenges in crypto [Dana Wright/UX Collective]

  • Unifying cross-chain liquidity with Connext [Nichanan Kesonpat/1kx]


That’s it! Feedback appreciated. Just hit reply. Written in Brooklyn after a fun and eventful, albeit cold, Thanksgiving.

Dose of DeFi is written by Chris Powers, with help from Denis Suslov and Financial Content Lab. I spend most of my time contributing to DXdao* and benefit financially from it and its products’ success. All content is for informational purposes and is not intended as investment advice.

Share this post
Badger's front-end exploit, average DEX trade size increases
doseofdefi.substack.com
Comments

Create your profile

0 subscriptions will be displayed on your profile (edit)

Skip for now

Only paid subscribers can comment on this post

Already a paid subscriber? Sign in

Check your email

For your security, we need to re-authenticate you.

Click the link we sent to , or click here to sign in.

TopNewCommunity

No posts

Ready for more?

© 2022 Chris Powers
Privacy ∙ Terms ∙ Collection notice
Publish on Substack Get the app
Substack is the home for great writing