Badger's front-end exploit, average DEX trade size increases
Plus Odds & Ends and Thoughts & Prognostications
Tweet of the Week: New attack vector
Another big DeFi hack, this one draining the vaults of Bitcoin on DeFi aggregator BadgerDAO to the tune of $120m. The tweet above from on-chain insurance provider, Nexus Mutual, highlights the unique nature of the attack. There appears to be no exploit at the smart contract layer. Instead, hackers inserted malicious code into the front-end of the Badger app. With this compromised front-end, Badger users unknowingly approved token allowances that enabled the hacker to drain their funds.
As Martin Koeppelman points out, the issue is “Yolo signing”. Even with a hardware wallet, it’s hard to parse the specific tx details being approved. In this case, Badger users probably thought they were interacting with approved Badger smart contracts, not realizing that they were signing transactions that gave hackers access to their tokens. Badger announced that it ‘paused’ the contracts to prevent any withdrawals. Handy feature…
This is a tough problem without easy solutions, how to provide verifiable, human-readable transaction info before signing? Likely good news for Grid+’s Lattice hardware wallet, which is probably the furtherest along in this regard. CryptoCat has a rundown of good MetaMask hygiene in light of the Badger exploit.
Tweet of the Week: Whale life on Ethereum
Stubbornly high gas prices on mainnet has led some to ‘abandon Ethereum’, but DEX’s on Ethereum still saw $100bn in volume in November - the highest monthly total since April. Instead, as the chart from Kaiko suggests, smaller traders are fleeing Ethereum, but whales are still active. The CoinDesk article featuring this chart also shows how the average trade size for DEX transactions on Ethereum has skyrocketed. Curve’s average transaction is over $500k.
The other interesting thing in regards to DEX volume is how difficult it is to compare volumes as DEX’s move across chains. Most data dashboards only include Ethereum, but PancakeSwap, dYdX and others have billions of dollars of volume but it can be difficult to track. Token Terminal’s `Exchange Trading vol.` is the best that I’ve found.
Odds and Ends
DXdao* introduces Carrot, a platform for programmable incentives Link
Fei and Rari discuss token merger and protocol integration Link
Bancor launches v3 Link
EIP-4488 would reduce the cost overhead for rollups Link
Instadapp introduces cross-chain refinancing Link
Gnosis set to acquire xDai chain, rebrand as ‘Gnosis Chain’ Link
Tornado Cash reveals plans to deploy to Arbitrum Link
Thoughts and Prognostications
Messari’s 2022 Crypto Theses [Messari]
How The Merge impacts Ethereum’s application layer [Tim Beiko/Ethereum Foundation]
Do Ethereum gas fees vary by time and day of week? [Kyle Waters & Nate Maddrey/Coin Metrics]
Could the shift to PoS eliminate MEV? [Haseeb Qureshi/Dragonfly]
A Normie’s Guide to Becoming a Crypto Person [Sara Harrison/New York]
The biggest product design challenges in crypto [Dana Wright/UX Collective]
Unifying cross-chain liquidity with Connext [Nichanan Kesonpat/1kx]
That’s it! Feedback appreciated. Just hit reply. Written in Brooklyn after a fun and eventful, albeit cold, Thanksgiving.
Dose of DeFi is written by Chris Powers, with help from Denis Suslov and Financial Content Lab. I spend most of my time contributing to DXdao* and benefit financially from it and its products’ success. All content is for informational purposes and is not intended as investment advice.