BadgerDAO exploit: illustrating Celsius’ poor controls

On 1 December 2021, BadgerDAO was attacked by an anonymous actor resulting in the loss of over $120 million in synthetic Bitcoin tokens on the Ethereum blockchain.  With a bull market in full swing and a propensity for the community to brush off losses as part of DeFi growing pains, the affair attracted only limited press attention.  

Yet, with hindsight, the event arguably caused ripples that are still being felt today.  Losses incurred were covered through additional capital costs - squeezing the reserves, margins, and safety nets of participants.  We take a brief look at the BadgerDAO hack and how it could be connected to recent market events.

The Hack

BadgerDAO is a decentralised autonomous organisation (DAO) that enables Bitcoin to be used as collateral in the DeFi space.  The hacker reportedly compromised Cloudflare, an application platform that runs on Badger’s cloud network.  Specifically, a malicious script was activated which ran a phishing pop-up to ask for unlimited spend approvals from users.  

In late November 2021, over 500 wallets approved the phishing approval, which was run at random intervals to avoid detection.

In total, the hacker moved assets worth over $120 million from over 500 wallets into the attacker’s Ethereum address.  According to press reports, losses exceeded the DAO’s then treasury reserves of roughly $53 million.  BadgerDAO’s team responded by freezing all of the protocol’s smart contract calls and engaging analytics providers to help track and recover the stolen funds.

None of the stolen user funds have been recovered even though they have been identified.  Nor has any address been sanctioned in relation to the hack (they are tagged in Hoptrail’s databases).  BadgerDAO is currently exploring a user fund reimbursement plan, which will be voted on via the native governance token BADGER.  More to come on this.

The Big Fish

Yet there was something more interesting about this exploit.  The hacker was waiting for a wealthy account to fall for the phishing pop-up.  And it wasn’t just any account.  It was Celsius, the big fish of the DeFi lending space, and which had recently raised $750 million.  

Eventually the move paid off; Celsius approved the unlimited spend request on BadgerDAO’s front-end and $51 million of crypto belonging to Celsius disappeared.

Given Celsius’ recent fund raise, the losses were not insurmountable.  Celsius claimed at the time that no members funds were lost.  Yet, Celsius was already facing questions about what it was doing with customer funds, with reports suggesting the protocol was taking “more risks” than the market realised.  

This reportedly included uncollateralised loans and investing deposits in perpetual swaps which had no expiry date.  These instruments allegedly increased Celsius’ vulnerability to market-wide sell-offs, the likes of which we’ve seen recently.  Moreover, Celsius’ tardiness in converting its $50 million ICO funds to fiat led to a halving of those proceeds as the market declined in 2019.  

A series of poor decisions

So while those errors in isolation could be seen as simple market missteps, together they illustrate poor internal controls.  $75 million in potentially lost funds in two years may have increased Celsius’ propensity to take risks in an attempt to recapitalise at safer levels - in other words taking bets, or apportioning loans, without standard risk controls.  

So BadgerDAO, a hitherto forgotten episode in Celsius’ history, was an undoubted “misstep” - a human error - in a wider series of missteps.  Did it reinforce a change in internal decision making at Celsius which exacerbated current issues?  Time will tell.

A full profile on The Badger DAO exploit, Celsius, and other crypto entities and events, is available in Risktrail,  our crypto compliance and regulatory risk platform.  Risktrail is currently in beta testing.  Get in touch to find out more.

‍