> The hacker was able to steal an API key that gave them control of BadgerDAO’s account on Cloudflare, the project’s content delivery network for its site. This gave the hacker the ability to inject a malicious script on the site that prompted users to give up wallet permissions, which then allowed the hackers to steal customers’ cryptocurrency.
If your use case involves being able to control user accounts centrally, why do you need blockchain for that?
UPD: if hacker didn't do it, BadgerDAO could do it anytime in the future, when money is much more than now, so it is good that they were hacked earlier, smaller impact on end users
(Imagine having to go to the trouble and risk of walking into a bank with a gun for a mere thirty thousand 1979 dollars, when you could steal one hundred million dollars by compromising some software!)
>If your use case involves being able to control user accounts centrally, why do you need blockchain for that?
AFAIK the accounts are not controlled centrally. How it works is that the project owners set up a site/webapp, which has javascript that interacts with wallet extensions installed on the user's browser. Members of the DAO uses the site to do various actions, for instance buying tokens or making votes. The site sends the request to the wallet extension to be signed, and then it gets broadcasted to the ethereum network. At the end of the day, the wallets are still controlled by the user, it's just that hijacking the site allows them to fool a massive number of users that don't pay close attention.
You don't have to use the frontend they host, it's not an actual single point of failure. Their frontend could go down, and as long as someone else is hosting one (or you download the source from github and host it locally) you can still use Badger.
If the failure of this single point led to the loss of $114m, that counts as a SPoF in my book regardless of what the platonic ideal user “could” or “should” have done.
^ this is correct, BadgerDAO has no control over user accounts, this is purely a frontend that was manipulated. You could redploy the frontend from source somewhere else without asking Badger and it would work just as well.
You’d think the sort of people who buy crypto tokens wouldn’t be the sort to trust others to hold their ‘money’, but I guess consistency is no one’s strong point.
There’s a group of people in the cryptoasset space who hold their own assets, understand how the system works, and know how to secure their own funds.
Then there are people who don’t care about decentralization and flood every discord server asking “wen token” and are just around to make free money and would happily do it on a centralized platform.
The second group has grown in size over the last few years and will put money into things that are clearly scams in hopes of a payout, and will click “sign transaction” anytime they’re prompted.
This is why the UX for blockchains needs to improve. There’s no reason that tooling can’t warn people when they’re authorizing funds to an unknown address. There is at least one hardware wallet that’s building out visualizations to help users understand what they’re doing.
Just launched a week ago and there's a ways to go yet but we're working on things like honeypot detection, dodgy tax fees, issues & changes of contracts, etc. The amount of scam tokens out there and unscrupulous tactics is outstanding (though unfortunately not surprising).
"understand how the system works, and know how to secure their own funds."
"don’t care about decentralization and flood every discord server asking “wen token” and are just around to make free money a"
Please ... both groups are rife with hustlers and pyramid scammers.
Crypto as an asset class is entirely a grift irrespective of the few 'legitimate backers' beliefs or actions.
If it were not for the big pile on of grifters, crypto would not have inflated prices and would therefore be the purview of a small number of hobbyists.
Finally, the notion that people should have an advanced understanding of computing, crypto, security and the various pitfalls, would imply technology is accessible to less than 0.01% of the planet who have both the will and ability to do so, thereby rendering the nill as any material opportunity for true 'decentralization'.
If people had to live in that world, they would be begging for some trusted institution in which they could safely place those funds, which are called 'banks'. Anyone can found one so long as they follow the regs, and those regulations are fully open and transparent. It represents just thee right amount of 'decentralization' necessary to keep a system with very high integrity afloat.
It's always been like that. Using a blockchain securely requires expertise in computer security and this excludes at least 99.9% of the world population. Everyone else has to use "trusted intermediaries".
The user is exposed to huge operational risks, such as losing access to their keys, having their keys stolen, irreversibly transferring the wrong amount of tokens or mistakenly transferring the tokens to the wrong address, with no recourse.
To be fair it's entirely consistent. The money is supposed to be held by a smart contract (ie. BadgerDAO), which has various governance criteria that they presumably agree with. What happened is that the site was hacked and the user's transfer was diverted to the attacker rather than the intended smart contract.
Free from what? Free from having to transact with third parties and the financial system? I'm not seeing the contradiction for that. Free from worrying about money? Getting rich? I guess that's a contradiction in the sense that losing money is contradictory to getting rich, but I don't see how anyone can take "we're all going to be rich!" as some sort of principled justification for the existence of something.
There are lots of crypto projects who have never been hacked - Compound, Balancer, AAVE - etc.
Banks need top grade security, and making a bank in crypto is hard. Because of the absence of regulation, what you’re getting right now is a lot of DeFi projects that are poorly secured. You take the risk you’re willing to take really.
The problem with crypto users "taking the risk they're willing to take" is that there's very little reliable information about which projects have better security than others.
Every project will say that they have great security, but without external validation or regulation, how do you know which of them are mistaken or outright lying.
There are audits that most projects do with crypto auditing software firms. These are usually announced publicly. That gives you some credibility in the space.
IMO security just comes from time spent operating vs amount of hacks. If you've been operating for a couple of years with no known hacks then I trust the team behind the project.
no audit's going to pick up every possible issue or potential exploit, but it does help weed out the obvious scams.
The entry to creating your own token is so low that people with little to no coding experience are attempting to add/modify functionality. Community insistence to get audited is useful to pick up on these.
We're working on solving this problem. We've just launched our platform, starting with DeFi tokens (what you could call the Wild West of Crypto): https://app.agentsinu.com/bsc/tokens
I mean, it's been a minute (well, actually a bit more than a decade) since I worked in finance, but I don't think I would characterize banks as having top grade security.
More like 'barely meets the threshold for compliance with regulations and laws if you glance sideways at it through a foggy pane of glass' security.
While most do have adequate security, many banks are self-insuring for several classes of risk, including several that self-insure for cybersecurity issues. They depend heavily on support from LEOs, centralization of clearing operations, and established norms on how to interact with each other through ISACs and other industry associations - something that cryptocurrency and decentralized finance currently lack.
This is true but COMP has had exploits and their CEO also begged its users to send funds back last time it happened while threatening to doxx them[0] so perhaps not the best example.
Your overall point is valid though, and it's not like it happens just in crypto - e.g. this paypal auth hack is not too disimilar and that's a much bigger company[1].
>There are lots of crypto projects who have never been hacked
Cyclists have a saying: there are two kinds of cyclists, ones that have crashed, and ones that are going to crash.
I think crypto exchanges can be similarly partitioned: there are two kinds of crypto exchanges, ones that have been hacked, and ones that are going to be hacked.
It's just ideal conditions: lots of money, software, no regulation/oversight, anonymous criminals.
So the same mentality as startups then, like Uber's CEO "Innovators Shouldn't Have To Ask For Permission Or Forgiveness"[1] or Facebook's original motto for developers being "Move fast and break things"[2].
Also here's a list of 11 startup entrepreneurs who "broke all the rules and achieved great success" according to this article[3]. Also found several people claiming that "Disrupters don't play by the rules"[4][5][6], and startups love to consider themselves "Disruptors for X technology"[7] to the point of parody in the HBO's Silicon Valley tv show, and even an entire startup convention named after it (TechCrunch Disrupt)[8].
Unfortunately, I think it will be tough to pin down anyone claiming anything is their "libertarian playground" (including the techbros that you're pretending are saying that), so I have to leave that one untouched.
Also, if getting hacked is all that's needed in order to get the mockery and derision of HN, then you pretty much all should be mocking yourselves, since the past few years have shown that there's almost no company of any decent size that doesn't eventually get hacked, and there's a good chance you're working for a company that has been hacked or will in the next five years.
In the last few years I alone have gotten notifications of having possible leaked data from Facebook, LinkedIn, Twitch, Netflix, Target, Michael's, Equifax, and probably at least a dozen more companies, and I'm sure probably at least a dozen more on top of that never bothered to notify me.
Yeah I'm not really arguing that they're not, more that we're on a forum that tends to venerate startups, and yet the parent comment is using the same comments that startups use as a bad thing against crypto platforms.
The victim of a crime doesn't decide if they get prosecuted or not, and cannot indemnify them from criminal liability (only civil), at least in the USA.
52 comments
[ 4.6 ms ] story [ 128 ms ] threadIf your use case involves being able to control user accounts centrally, why do you need blockchain for that?
UPD: if hacker didn't do it, BadgerDAO could do it anytime in the future, when money is much more than now, so it is good that they were hacked earlier, smaller impact on end users
As Willie Sutton said, that's where the money is. https://www.nytimes.com/1979/08/26/archives/willie-sutton-sa...
(Imagine having to go to the trouble and risk of walking into a bank with a gun for a mere thirty thousand 1979 dollars, when you could steal one hundred million dollars by compromising some software!)
AFAIK the accounts are not controlled centrally. How it works is that the project owners set up a site/webapp, which has javascript that interacts with wallet extensions installed on the user's browser. Members of the DAO uses the site to do various actions, for instance buying tokens or making votes. The site sends the request to the wallet extension to be signed, and then it gets broadcasted to the ethereum network. At the end of the day, the wallets are still controlled by the user, it's just that hijacking the site allows them to fool a massive number of users that don't pay close attention.
It’s sad what happened to these users, but they did sign the contract giving the hackers permission to access wallet funds.
This is a failure of opsec.
it just happened to be an overly trusted point of failure
Absolute security nightmare in both directions, this.
I preach this in every forum I am active in, but if you are messing with more than play money you absolutely need a hardware wallet.
Then there are people who don’t care about decentralization and flood every discord server asking “wen token” and are just around to make free money and would happily do it on a centralized platform.
The second group has grown in size over the last few years and will put money into things that are clearly scams in hopes of a payout, and will click “sign transaction” anytime they’re prompted.
This is why the UX for blockchains needs to improve. There’s no reason that tooling can’t warn people when they’re authorizing funds to an unknown address. There is at least one hardware wallet that’s building out visualizations to help users understand what they’re doing.
Just launched a week ago and there's a ways to go yet but we're working on things like honeypot detection, dodgy tax fees, issues & changes of contracts, etc. The amount of scam tokens out there and unscrupulous tactics is outstanding (though unfortunately not surprising).
"don’t care about decentralization and flood every discord server asking “wen token” and are just around to make free money a"
Please ... both groups are rife with hustlers and pyramid scammers.
Crypto as an asset class is entirely a grift irrespective of the few 'legitimate backers' beliefs or actions.
If it were not for the big pile on of grifters, crypto would not have inflated prices and would therefore be the purview of a small number of hobbyists.
Finally, the notion that people should have an advanced understanding of computing, crypto, security and the various pitfalls, would imply technology is accessible to less than 0.01% of the planet who have both the will and ability to do so, thereby rendering the nill as any material opportunity for true 'decentralization'.
If people had to live in that world, they would be begging for some trusted institution in which they could safely place those funds, which are called 'banks'. Anyone can found one so long as they follow the regs, and those regulations are fully open and transparent. It represents just thee right amount of 'decentralization' necessary to keep a system with very high integrity afloat.
For clarification purposes, what's the rhetoric you're referring to?
Free from what? Free from having to transact with third parties and the financial system? I'm not seeing the contradiction for that. Free from worrying about money? Getting rich? I guess that's a contradiction in the sense that losing money is contradictory to getting rich, but I don't see how anyone can take "we're all going to be rich!" as some sort of principled justification for the existence of something.
There are lots of crypto projects who have never been hacked - Compound, Balancer, AAVE - etc.
Banks need top grade security, and making a bank in crypto is hard. Because of the absence of regulation, what you’re getting right now is a lot of DeFi projects that are poorly secured. You take the risk you’re willing to take really.
Every project will say that they have great security, but without external validation or regulation, how do you know which of them are mistaken or outright lying.
IMO security just comes from time spent operating vs amount of hacks. If you've been operating for a couple of years with no known hacks then I trust the team behind the project.
Also as monox (who got hacked this week) shows 3 audits this year are no guarantee https://docs.monox.finance/library/audits
The entry to creating your own token is so low that people with little to no coding experience are attempting to add/modify functionality. Community insistence to get audited is useful to pick up on these.
If you're interested, here's an overview of the honeypot scam (common with DeFi tokens) and how we're helping alert users to it: https://agentsofinu.medium.com/the-honeypot-scam-what-is-it-...
More like 'barely meets the threshold for compliance with regulations and laws if you glance sideways at it through a foggy pane of glass' security.
While most do have adequate security, many banks are self-insuring for several classes of risk, including several that self-insure for cybersecurity issues. They depend heavily on support from LEOs, centralization of clearing operations, and established norms on how to interact with each other through ISACs and other industry associations - something that cryptocurrency and decentralized finance currently lack.
Your overall point is valid though, and it's not like it happens just in crypto - e.g. this paypal auth hack is not too disimilar and that's a much bigger company[1].
0. https://decrypt.co/82387/defi-community-blasts-compound-ceo-...
1. https://www.consumeraffairs.com/news/paypal-hackers-are-targ...
This sounds like a bug, not an exploit.
Cyclists have a saying: there are two kinds of cyclists, ones that have crashed, and ones that are going to crash.
I think crypto exchanges can be similarly partitioned: there are two kinds of crypto exchanges, ones that have been hacked, and ones that are going to be hacked.
It's just ideal conditions: lots of money, software, no regulation/oversight, anonymous criminals.
https://rekt.news
Also Techbros: pls look in ur heart and do the right thing for us pls.
Also here's a list of 11 startup entrepreneurs who "broke all the rules and achieved great success" according to this article[3]. Also found several people claiming that "Disrupters don't play by the rules"[4][5][6], and startups love to consider themselves "Disruptors for X technology"[7] to the point of parody in the HBO's Silicon Valley tv show, and even an entire startup convention named after it (TechCrunch Disrupt)[8].
Unfortunately, I think it will be tough to pin down anyone claiming anything is their "libertarian playground" (including the techbros that you're pretending are saying that), so I have to leave that one untouched.
Also, if getting hacked is all that's needed in order to get the mockery and derision of HN, then you pretty much all should be mocking yourselves, since the past few years have shown that there's almost no company of any decent size that doesn't eventually get hacked, and there's a good chance you're working for a company that has been hacked or will in the next five years.
In the last few years I alone have gotten notifications of having possible leaked data from Facebook, LinkedIn, Twitch, Netflix, Target, Michael's, Equifax, and probably at least a dozen more companies, and I'm sure probably at least a dozen more on top of that never bothered to notify me.
[1]: https://www.techdirt.com/articles/20130130/18445721832/ubers...
[2]: https://mindmatters.ai/2018/10/facebooks-old-motto-was-move-...
[3]: https://www.entrepreneur.com/slideshow/328085
[4]: https://twitter.com/accenturetech/status/575606603644272640
[5]: https://youtu.be/NRjVcogNRac
[6]: https://www.linkedin.com/pulse/disruptors-dont-play-rules-re...
[7]: https://www.theguardian.com/technology/2016/jan/11/disruptio...
[8]: https://techcrunch.com/events/tc-disrupt-2021/
9% for GUSD for example https://blockfi.com/rates/
I'm pretty sure they have already been compensated, to the tune of $119M.
If they are serious they'll offer to sign an agreement indemnifying the hacker from prosecution, and still give them a substantial sum (at least $30M)
There's no such thing as "pressing charges".