Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 080Private Key Compromise

Dego Finance Multi-Chain Key Compromise

A private-key compromise drained $10M from Dego Finance across Ethereum and BNB Chain, sweeping liquidity pools and user wallets with active token approvals.

Date
Victim
Dego Finance
Chain(s)
EthereumBNB Chain
Status
Funds Stolen

On February 10, 2022, the cross-chain NFT and DeFi protocol Dego Finance lost approximately $10 million when an attacker compromised private keys controlling the protocol's operations across Ethereum and BNB Chain. The attacker drained both protocol-held liquidity and the wallets of users who had granted token approvals to Dego's contracts.

What happened

Dego Finance operated NFT and yield products across multiple chains, with privileged operations gated by keys held in the team's signing infrastructure. The attacker obtained these keys — the specific compromise vector (endpoint malware, phishing, infrastructure breach) was not publicly detailed.

With the keys in hand, the attacker executed a two-pronged drain:

  1. Protocol liquidity: drained the DEGO token's liquidity pools on Ethereum and BNB Chain directly.
  2. User approvals: for users who had granted Dego's contracts unlimited token approvals (the standard pattern for any DeFi protocol that moves user tokens), the attacker used the compromised privileged access to transferFrom those users' approved balances to attacker-controlled addresses.

The combined drain across both chains totalled approximately $10 million in mixed assets.

Aftermath

  • Dego Finance paused operations and advised all users to revoke token approvals to its contracts immediately.
  • The DEGO token fell sharply as the market priced in the protocol compromise.
  • No public recovery from the attacker's wallets; funds were laundered through standard mixers.

Why it matters

The Dego Finance incident illustrates the recurring "compromised key + user approvals = double drain" pattern that has produced losses across the entire DeFi era:

  • Furucombo (Feb 2021) — evil-contract delegatecall drained approval-granting users.
  • Dego Finance (Feb 2022) — key compromise drained both protocol and approval-granting users.
  • Transit Swap (Oct 2022) — missing validation let any caller drain approvals.
  • LI.FI (Jul 2024) — facet bug drained infinite-approval wallets.

The structural lesson, repeated for years: when a protocol holds user token approvals, a compromise of the protocol's privileged keys is also a compromise of every user who approved it. The blast radius of a key compromise is not "the protocol's treasury" — it's "the protocol's treasury plus every approving user's approved balances."

The defensive responses — bounded approvals, EIP-2612 permits with expiry, per-transaction approval patterns, and regular approval revocation hygiene — all exist to limit this blast radius. Modern wallets default to bounded approvals partly because of the cumulative cost of incidents like Dego Finance, where users who had long ago granted an "unlimited approve" to a protocol they no longer used were drained years later when that protocol's keys were eventually compromised.

Sources & on-chain evidence

  1. [01]halborn.comhttps://halborn.com/explained-the-dego-finance-hack-february-2022/
  2. [02]cryptopotato.comhttps://cryptopotato.com/defi-project-dego-finance-hacked-exploiters-reportedly-drain-over-10m/
  3. [03]cryptobriefing.comhttps://cryptobriefing.com/bsc-ethereum-defi-projects-hit-14-4m-hack/

Related filings