52 comments

[ 4.6 ms ] story [ 128 ms ] thread
> The hacker was able to steal an API key that gave them control of BadgerDAO’s account on Cloudflare, the project’s content delivery network for its site. This gave the hacker the ability to inject a malicious script on the site that prompted users to give up wallet permissions, which then allowed the hackers to steal customers’ cryptocurrency.

If your use case involves being able to control user accounts centrally, why do you need blockchain for that?

UPD: if hacker didn't do it, BadgerDAO could do it anytime in the future, when money is much more than now, so it is good that they were hacked earlier, smaller impact on end users

> why do you need blockchain for that?

As Willie Sutton said, that's where the money is. https://www.nytimes.com/1979/08/26/archives/willie-sutton-sa...

(Imagine having to go to the trouble and risk of walking into a bank with a gun for a mere thirty thousand 1979 dollars, when you could steal one hundred million dollars by compromising some software!)

($30,000 adjusted for inflation would be worth about $114,300 in 2021)
Now you see if you'd stolen one bitcoin in 1979, it would still be worth one bitcoin in 2021! Price stability!
>If your use case involves being able to control user accounts centrally, why do you need blockchain for that?

AFAIK the accounts are not controlled centrally. How it works is that the project owners set up a site/webapp, which has javascript that interacts with wallet extensions installed on the user's browser. Members of the DAO uses the site to do various actions, for instance buying tokens or making votes. The site sends the request to the wallet extension to be signed, and then it gets broadcasted to the ethereum network. At the end of the day, the wallets are still controlled by the user, it's just that hijacking the site allows them to fool a massive number of users that don't pay close attention.

if a single point of failure impacts the actions of a large number of users, that would count as central control in my book
You don't have to use the frontend they host, it's not an actual single point of failure. Their frontend could go down, and as long as someone else is hosting one (or you download the source from github and host it locally) you can still use Badger.
If the failure of this single point led to the loss of $114m, that counts as a SPoF in my book regardless of what the platonic ideal user “could” or “should” have done.
You don’t even need the front end, you can interact with the contract directly.

It’s sad what happened to these users, but they did sign the contract giving the hackers permission to access wallet funds.

This is a failure of opsec.

presumably the code being distributed to users could then be redistributed by those users, making this not a SPoF

it just happened to be an overly trusted point of failure

^ this is correct, BadgerDAO has no control over user accounts, this is purely a frontend that was manipulated. You could redploy the frontend from source somewhere else without asking Badger and it would work just as well.
> wallet extensions installed on the user's browser

Absolute security nightmare in both directions, this.

This is why anyone who is serious in this space uses a hardware wallet.

I preach this in every forum I am active in, but if you are messing with more than play money you absolutely need a hardware wallet.

You’d think the sort of people who buy crypto tokens wouldn’t be the sort to trust others to hold their ‘money’, but I guess consistency is no one’s strong point.
There’s a group of people in the cryptoasset space who hold their own assets, understand how the system works, and know how to secure their own funds.

Then there are people who don’t care about decentralization and flood every discord server asking “wen token” and are just around to make free money and would happily do it on a centralized platform.

The second group has grown in size over the last few years and will put money into things that are clearly scams in hopes of a payout, and will click “sign transaction” anytime they’re prompted.

This is why the UX for blockchains needs to improve. There’s no reason that tooling can’t warn people when they’re authorizing funds to an unknown address. There is at least one hardware wallet that’s building out visualizations to help users understand what they’re doing.

Yeah, it's a massive problem. We're working on a tool to solve that in the DeFi space: https://app.agentsinu.com/bsc/tokens

Just launched a week ago and there's a ways to go yet but we're working on things like honeypot detection, dodgy tax fees, issues & changes of contracts, etc. The amount of scam tokens out there and unscrupulous tactics is outstanding (though unfortunately not surprising).

"understand how the system works, and know how to secure their own funds."

"don’t care about decentralization and flood every discord server asking “wen token” and are just around to make free money a"

Please ... both groups are rife with hustlers and pyramid scammers.

Crypto as an asset class is entirely a grift irrespective of the few 'legitimate backers' beliefs or actions.

If it were not for the big pile on of grifters, crypto would not have inflated prices and would therefore be the purview of a small number of hobbyists.

Finally, the notion that people should have an advanced understanding of computing, crypto, security and the various pitfalls, would imply technology is accessible to less than 0.01% of the planet who have both the will and ability to do so, thereby rendering the nill as any material opportunity for true 'decentralization'.

If people had to live in that world, they would be begging for some trusted institution in which they could safely place those funds, which are called 'banks'. Anyone can found one so long as they follow the regs, and those regulations are fully open and transparent. It represents just thee right amount of 'decentralization' necessary to keep a system with very high integrity afloat.

It's always been like that. Using a blockchain securely requires expertise in computer security and this excludes at least 99.9% of the world population. Everyone else has to use "trusted intermediaries".
Why is that? What is the risk using standard bitcoin client on any regular OS?
The user is exposed to huge operational risks, such as losing access to their keys, having their keys stolen, irreversibly transferring the wrong amount of tokens or mistakenly transferring the tokens to the wrong address, with no recourse.
To be fair it's entirely consistent. The money is supposed to be held by a smart contract (ie. BadgerDAO), which has various governance criteria that they presumably agree with. What happened is that the site was hacked and the user's transfer was diverted to the attacker rather than the intended smart contract.
Perhaps it is consistent with the system, but it seems inconsistent with the rhetoric used to justify crypto's actual existence.
>it seems inconsistent with the rhetoric used to justify crypto's actual existence.

For clarification purposes, what's the rhetoric you're referring to?

That crypto makes you free, even rich.
>crypto makes you free

Free from what? Free from having to transact with third parties and the financial system? I'm not seeing the contradiction for that. Free from worrying about money? Getting rich? I guess that's a contradiction in the sense that losing money is contradictory to getting rich, but I don't see how anyone can take "we're all going to be rich!" as some sort of principled justification for the existence of something.

Just to preempt the usual HN misconceptions.

There are lots of crypto projects who have never been hacked - Compound, Balancer, AAVE - etc.

Banks need top grade security, and making a bank in crypto is hard. Because of the absence of regulation, what you’re getting right now is a lot of DeFi projects that are poorly secured. You take the risk you’re willing to take really.

The problem with crypto users "taking the risk they're willing to take" is that there's very little reliable information about which projects have better security than others.

Every project will say that they have great security, but without external validation or regulation, how do you know which of them are mistaken or outright lying.

There are audits that most projects do with crypto auditing software firms. These are usually announced publicly. That gives you some credibility in the space.

IMO security just comes from time spent operating vs amount of hacks. If you've been operating for a couple of years with no known hacks then I trust the team behind the project.

audits are a signal for sure, but can an end-user tell a good audit from a bad audit?

Also as monox (who got hacked this week) shows 3 audits this year are no guarantee https://docs.monox.finance/library/audits

no audit's going to pick up every possible issue or potential exploit, but it does help weed out the obvious scams.

The entry to creating your own token is so low that people with little to no coding experience are attempting to add/modify functionality. Community insistence to get audited is useful to pick up on these.

I don't know those companies. There are only a few companies I'd trust with crypto audits.
I mean, it's been a minute (well, actually a bit more than a decade) since I worked in finance, but I don't think I would characterize banks as having top grade security.

More like 'barely meets the threshold for compliance with regulations and laws if you glance sideways at it through a foggy pane of glass' security.

While most do have adequate security, many banks are self-insuring for several classes of risk, including several that self-insure for cybersecurity issues. They depend heavily on support from LEOs, centralization of clearing operations, and established norms on how to interact with each other through ISACs and other industry associations - something that cryptocurrency and decentralized finance currently lack.

This is true but COMP has had exploits and their CEO also begged its users to send funds back last time it happened while threatening to doxx them[0] so perhaps not the best example.

Your overall point is valid though, and it's not like it happens just in crypto - e.g. this paypal auth hack is not too disimilar and that's a much bigger company[1].

0. https://decrypt.co/82387/defi-community-blasts-compound-ceo-...

1. https://www.consumeraffairs.com/news/paypal-hackers-are-targ...

Sounds like a rookie mistake, but haven't there been cases of banks sending people money they shouldn't have?

This sounds like a bug, not an exploit.

>There are lots of crypto projects who have never been hacked

Cyclists have a saying: there are two kinds of cyclists, ones that have crashed, and ones that are going to crash.

I think crypto exchanges can be similarly partitioned: there are two kinds of crypto exchanges, ones that have been hacked, and ones that are going to be hacked.

It's just ideal conditions: lots of money, software, no regulation/oversight, anonymous criminals.

Techbros: we don't ask permission, we don't play by the rules, we move fast and break things, the world is our libertarian playground.

Also Techbros: pls look in ur heart and do the right thing for us pls.

So the same mentality as startups then, like Uber's CEO "Innovators Shouldn't Have To Ask For Permission Or Forgiveness"[1] or Facebook's original motto for developers being "Move fast and break things"[2].

Also here's a list of 11 startup entrepreneurs who "broke all the rules and achieved great success" according to this article[3]. Also found several people claiming that "Disrupters don't play by the rules"[4][5][6], and startups love to consider themselves "Disruptors for X technology"[7] to the point of parody in the HBO's Silicon Valley tv show, and even an entire startup convention named after it (TechCrunch Disrupt)[8].

Unfortunately, I think it will be tough to pin down anyone claiming anything is their "libertarian playground" (including the techbros that you're pretending are saying that), so I have to leave that one untouched.

Also, if getting hacked is all that's needed in order to get the mockery and derision of HN, then you pretty much all should be mocking yourselves, since the past few years have shown that there's almost no company of any decent size that doesn't eventually get hacked, and there's a good chance you're working for a company that has been hacked or will in the next five years.

In the last few years I alone have gotten notifications of having possible leaked data from Facebook, LinkedIn, Twitch, Netflix, Target, Michael's, Equifax, and probably at least a dozen more companies, and I'm sure probably at least a dozen more on top of that never bothered to notify me.

[1]: https://www.techdirt.com/articles/20130130/18445721832/ubers...

[2]: https://mindmatters.ai/2018/10/facebooks-old-motto-was-move-...

[3]: https://www.entrepreneur.com/slideshow/328085

[4]: https://twitter.com/accenturetech/status/575606603644272640

[5]: https://youtu.be/NRjVcogNRac

[6]: https://www.linkedin.com/pulse/disruptors-dont-play-rules-re...

[7]: https://www.theguardian.com/technology/2016/jan/11/disruptio...

[8]: https://techcrunch.com/events/tc-disrupt-2021/

wait, what? Are startups somehow not tech bros?
Yeah I'm not really arguing that they're not, more that we're on a forum that tends to venerate startups, and yet the parent comment is using the same comments that startups use as a bad thing against crypto platforms.
This has to affect the large returns on stablecoins, right? These counterparties are going bust left and right.

9% for GUSD for example https://blockfi.com/rates/

A yield above the risk free rate implies that risk does in fact exist for stablecoins.
I guess Defi is not quite safe as one expects.
Don’t do it, hacker. If you do, consensus will always be whack.
Celsius had several hundred Bitcoin lost in this BadgerDAO phishing attack.
"we are willing to work with you and compensate you for identifying this vulnerability in the systems"

I'm pretty sure they have already been compensated, to the tune of $119M.

If they are serious they'll offer to sign an agreement indemnifying the hacker from prosecution, and still give them a substantial sum (at least $30M)

The victim of a crime doesn't decide if they get prosecuted or not, and cannot indemnify them from criminal liability (only civil), at least in the USA.

There's no such thing as "pressing charges".

True, but pen-testing is an industry with appropriately-worded contracts.
Are you saying that unauthorised access to systems and unauthorised taking of money could be retroactively authorised, thus there would be no crime?