BadgerDAO Exploit
Summary
In December 2021, BadgerDAO suffered one of the largest DeFi exploits of that year when an attacker used a compromised Cloudflare API key to inject malicious scripts into the protocol's front-end, tricking users into granting unlimited ERC-20 token approvals. Approximately $120–130 million in Bitcoin-pegged and other tokens were drained from roughly 500 user wallets, with Celsius Network reportedly the single largest victim at approximately $50–55 million. BadgerDAO subsequently engaged Mandiant and Chainalysis for forensic investigation, coordinated with U.S. and Canadian law enforcement, and initiated a multi-tranche governance-driven restitution plan that remained ongoing as of 2025.
Connected Entities
1 entities · 10 linked investigations- + 2 more
Timeline(13 events)
2021-03-01
BadgerDAO receives $21 million in VC investment and surpasses $1 billion in TVL.
IQ.wiki — BadgerDAO2021-08-01
Unauthorized accounts created on Cloudflare without email verification, obtaining Global API keys without BadgerDAO engineers' knowledge.
CoinDesk — BadgerDAO Reveals Details of How It Was Hacked for $120M2021-11-10
Attacker begins injecting malicious scripts via Cloudflare Workers into app.badger.com using compromised API key.
Quadriga Initiative Case Study2021-11-20
First on-chain malicious ERC-20 approval recorded; attacker begins silently accumulating token spend authorizations.
Quadriga Initiative Case Study2021-12-02
Bulk drain begins at ~12:48 AM UTC. Approximately 2,100 BTC-equivalent tokens and 151 ETH drained from ~500 wallets. Community raises alarm; BadgerDAO team begins pausing contracts.
DeFi protocol BadgerDAO exploited for $120 million in front-end attack — The Block2021-12-02
Most BadgerDAO vaults paused by approximately 3:30 AM UTC; last malicious withdrawal occurs at 4:57 AM UTC.
Quadriga Initiative Case Study2021-12-10
BadgerDAO and Mandiant publish technical post-mortem identifying Cloudflare API key compromise as root cause.
BadgerDAO Reveals Details of How It Was Hacked for $120M — CoinDesk2021-12-16
BadgerDAO presents three-tranche restitution plan; governance proposals BIP-76 through BIP-80 published.
After $130M Hack, Badger's Restitution Plan Tests Limits of DAO Governance — CoinDesk2022-02-16
Microsoft Security Blog publishes analysis of BadgerDAO attack as a case study of 'ice phishing,' a novel front-end approval attack pattern.
Ice Phishing on the Blockchain — Microsoft Security Blog2023-02-23
BadgerDAO founder Chris Spadafora announces eBTC, a new decentralized Bitcoin product powered by Ethereum staking.
Chris Spadafora — IQ.wiki2024-02-10
BIP 103 proposes continuation of restitution program with additional 1 million BADGER (~$3.5 million) allocation for 12 further months.
BIP 103 — Continue Restitution — BadgerDAO Forum2025-03-25
Governance proposal to allow remBADGER holders to participate in a new restitution pool fails to reach quorum.
Restitution 2.0 — BadgerDAO ForumDecision Log
- hash: EVvVwGvi9drkb6BT5XCNG4aApWd34Que3Hsiv8TZ8no7
This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.
model: claude-code-investigator
generated: 5/31/2026, 6:06:00 PM
last updated: 5/31/2026, 6:06:05 PM
avoid.net — verified advice for a post-truth world