Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 065Frontend Hijack

BadgerDAO Frontend Hijack

Compromised Cloudflare API key let attackers inject malicious approvals into BadgerDAO's frontend for two weeks, draining $120M from users' wallets.

Date
Victim
BadgerDAO
Chain(s)
Ethereum
Status
Funds Stolen

On December 2, 2021, the Bitcoin-focused DeFi protocol BadgerDAO discovered that user wallets had been silently drained for nearly two weeks. Total losses: roughly $120 million — extracted not from the protocol's smart contracts, but from users approving malicious transactions on the protocol's own website.

What happened

A compromised Cloudflare API key with broad permissions over BadgerDAO's web infrastructure gave the attacker the ability to inject arbitrary JavaScript into the frontend, scoped to specific Cloudflare routes. Beginning in mid-November 2021, they ran an injection that, on selected sessions, replaced legitimate transaction calldata with calls to approve() on user balances — granting the attacker's address unlimited authority to spend the user's vault tokens.

Users who visited the site, clicked "deposit" or "manage", and signed what looked like a normal interaction were in fact handing over withdrawal rights to their entire BadgerDAO position. The attacker would then call the approved transfer from a separate address and drain funds.

The malicious script ran selectively — only on a subset of high-value sessions — which is why it took nearly two weeks to detect. Microsoft Security later coined the term "ice phishing" for this class of attack.

Aftermath

  • BadgerDAO paused all contracts as soon as the injection was confirmed.
  • The team announced a remediation plan and a token-based reimbursement to affected users.
  • The original Cloudflare API key compromise vector was never publicly identified beyond "credential exposure."
  • The vast majority of funds were laundered through Tornado Cash before any could be frozen.

Why it matters

BadgerDAO showed for the first time at scale that a DeFi protocol's smart contracts are not its only attack surface. The website serving the contract calls is a trust boundary, and any compromise of the infrastructure that serves it — CDN, hosting provider, DNS, build pipeline — is a complete compromise of the protocol from the user's perspective.

The lesson was re-learned at much higher cost three years later at Bybit, where the same pattern — supply-chain compromise of a critical web infrastructure provider — drained $1.46B.

Sources & on-chain evidence

  1. [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-badgerdao-hack-december-2021
  2. [02]coindesk.comhttps://www.coindesk.com/business/2021/12/10/badgerdao-reveals-details-of-how-it-was-hacked-for-120m
  3. [03]microsoft.comhttps://www.microsoft.com/en-us/security/blog/2022/02/16/ice-phishing-on-the-blockchain/

Related filings