Verify a decision

{"actor":"system:backfill","investigation_id":"fa8789a1-9756-4db0-ae91-f2c4d6200fe7","kind":"publish","page_slug":"badgerdao-exploit","published_at":"2026-05-31T18:06:05.530Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"BadgerDAO Exploit","sections":[{"content":"The exploit was not a smart-contract vulnerability but a supply-chain attack on BadgerDAO's web front-end. BadgerDAO's post-mortem, published in partnership with cybersecurity firm Mandiant, determined that the phishing incident was caused by 'a maliciously injected snippet provided by Cloudflare Workers.' The attacker obtained a Cloudflare API key that was created without the knowledge or authorization of BadgerDAO engineers, exploiting a flaw in Cloudflare's account-creation process that in mid-2021 allowed users to create accounts and view Global API keys without completing email verification. BadgerDAO found that three such unauthorized accounts were created in August and September 2021. The attacker leveraged this API access beginning November 10, 2021, to periodically inject malicious JavaScript into app.badger.com via Cloudflare Workers. To evade detection, the attacker applied and removed the script at irregular intervals, targeted only high-balance wallets, and avoided wallets belonging to known multisig signers.","heading":"Attack Vector: Cloudflare API Key Compromise","severity":"critical","sources":[{"credibility":1,"name":"BadgerDAO Reveals Details of How It Was Hacked for $120M — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2021/12/10/badgerdao-reveals-details-of-how-it-was-hacked-for-120m"},{"credibility":1,"name":"DeFi Platform BadgerDAO Says Cloudflare Flaw Led to $130 Million Crypto Heist — Bloomberg","type":"news_article","url":"https://www.bloomberg.com/news/articles/2021-12-10/badgerdao-says-cloudflare-flaw-led-to-130-million-heist"},{"credibility":2,"name":"Explained: The BadgerDAO Hack (December 2021) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-badgerdao-hack-december-2021"},{"credibility":2,"name":"Dec 2021 — BadgerDAO Malicious Code Injected — Quadriga Initiative Case Study","type":"research","url":"https://www.quadrigainitiative.com/casestudy/badgerdaomaliciouscodeinjected.php"}]},{"content":"The injected Cloudflare Workers script intercepted web3 transaction requests in the BadgerDAO application and prompted users to authorize a foreign externally-owned address (EOA) — not a smart contract — to spend unlimited amounts of ERC-20 tokens held in their wallets. Once approvals were obtained, the attacker could call transferFrom at any later time to drain the approved tokens without further interaction from the victim. Microsoft's Security Blog later characterized this technique as 'ice phishing' — distinguishing it from classical phishing by the fact that no private keys are stolen; only token spend permissions are obtained. The first on-chain malicious approval is recorded as occurring November 20, 2021, approximately 12 days before the main drain event. The attacker silently accumulated approvals from nearly 500 wallets before executing the bulk withdrawal.","heading":"Malicious Approval Mechanism ('Ice Phishing')","severity":"critical","sources":[{"credibility":1,"name":"'Ice Phishing' on the Blockchain — Microsoft Security Blog","type":"research","url":"https://www.microsoft.com/en-us/security/blog/2022/02/16/ice-phishing-on-the-blockchain/"},{"credibility":2,"name":"How to Derail a 120-Million-Dollar Hack — Forta Network","type":"research","url":"https://forta.org/blog/how-to-derail-a-120-million-dollar-hack"},{"credibility":2,"name":"Dec 2021 — BadgerDAO Malicious Code Injected — Quadriga Initiative Case Study","type":"research","url":"https://www.quadrigainitiative.com/casestudy/badgerdaomaliciouscodeinjected.php"}]},{"content":"Estimates of total losses vary slightly across sources due to the timing of price snapshots, but converge in the range of $116–130 million. According to on-chain analysis by PeckShield and TRM Labs, assets stolen included approximately 2,100 BTC-equivalent tokens (comprising various wrapped and tokenized Bitcoin assets such as WBTC, renBTC, and DIGG), 151 ETH, and smaller amounts of CVX and other tokens. TRM Labs reported a single transaction transferring approximately 900 wrapped Bitcoin — roughly $50 million — from a Yearn wBTC vault. Celsius Network was publicly reported as the largest individual victim, with losses of approximately $50–55 million in wrapped Bitcoin. Approximately $9 million remained in the attacker's wallet within BadgerDAO vaults and was subsequently recovered through governance-enabled contract upgrades.","heading":"Financial Losses","severity":"critical","sources":[{"credibility":1,"name":"Badger DAO Protocol Suffers $120M Exploit — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2021/12/02/badger-dao-protocol-suffers-10m-exploit"},{"credibility":2,"name":"TRM Investigates: BadgerDAO DeFi Protocol Hacked — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/trm-investigates-badgerdao-defi-protocol-hacked"},{"credibility":2,"name":"Celsius Network Reportedly Lost $50 Million in the $120 Million BadgerDAO Hack — CryptoPotato","type":"news_article","url":"https://cryptopotato.com/celsius-network-reportedly-lost-50-million-in-the-120-million-badgerdao-hack/"},{"credibility":2,"name":"Bitcoin DeFi Project BadgerDAO Hacked for $120M — Decrypt","type":"news_article","url":"https://decrypt.co/87415/bitcoin-defi-project-badgerdao-hacked-120m"}]},{"content":"The main drain event began at approximately 12:48 AM UTC on December 2, 2021. Community members raised an alarm shortly after, and the BadgerDAO team began pausing smart contracts. The team exercised guardian powers to freeze all calls to the transferFrom function, halting further withdrawals. Most contracts were paused by approximately 3:30 AM UTC; the last malicious withdrawal from an unpaused vault occurred at 4:57 AM UTC. BadgerDAO is a Chainalysis customer, and the protocol's team engaged Chainalysis's Reactor blockchain investigation tool to trace stolen fund flows. The team also retained cybersecurity firm Mandiant (now Google Cloud Security) for a technical forensic investigation and coordinated with U.S. and Canadian law enforcement authorities. TRM Labs documented the attacker's wallet addresses for client exposure monitoring. As of public reporting, the attacker converted many stolen assets to renBTC, moved funds to native Bitcoin addresses, and was likely staging funds for mixing services.","heading":"Detection and Immediate Response","severity":"high","sources":[{"credibility":2,"name":"Behind The Scenes of The BadgerDAO Hack — Chainalysis Podcast Ep. 6","type":"research","url":"https://www.chainalysis.com/blog/chainalysis-podcast-episode-6-badgerdao-hack/"},{"credibility":2,"name":"TRM Investigates: BadgerDAO DeFi Protocol Hacked — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/trm-investigates-badgerdao-defi-protocol-hacked"},{"credibility":2,"name":"Dec 2021 — BadgerDAO Malicious Code Injected — Quadriga Initiative Case Study","type":"research","url":"https://www.quadrigainitiative.com/casestudy/badgerdaomaliciouscodeinjected.php"},{"credibility":2,"name":"BadgerDAO users' cryptocurrency stolen in cyber attack — TechTarget","type":"news_article","url":"https://www.techtarget.com/searchsecurity/news/252510627/BadgerDAO-users-cryptocurrency-stolen-in-cyber-attack"}]},{"content":"As of available public reporting, the attacker has not been publicly identified or charged. BadgerDAO coordinated with U.S. and Canadian law enforcement and hired Mandiant and Chainalysis to produce investigative leads. No arrest or indictment in connection with the BadgerDAO exploit has been publicly announced. Fund recovery from the open market or law enforcement seizure has not been publicly confirmed.","heading":"Attacker Identity and Law Enforcement Outcome","severity":"medium","sources":[{"credibility":1,"name":"BadgerDAO Reveals Details of How It Was Hacked for $120M — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2021/12/10/badgerdao-reveals-details-of-how-it-was-hacked-for-120m"},{"credibility":2,"name":"Behind The Scenes of The BadgerDAO Hack — Chainalysis Podcast Ep. 6","type":"research","url":"https://www.chainalysis.com/blog/chainalysis-podcast-episode-6-badgerdao-hack/"}]},{"content":"BadgerDAO founder Chris Spadafora described the subsequent restitution effort as potentially 'the largest of its kind' in DeFi. The DAO treasury held approximately $53 million at the time — insufficient for immediate full compensation against $121 million in unrecoverable losses. The community structured compensation into three tranches requiring separate governance proposals (Badger Improvement Proposals, or BIPs). Tranche 1 (~$2.8 million): BIP-79 proposed distributing BADGER governance tokens from the treasury to restore voting rights for affected users, covering approximately 17% of victims in full. Tranche 2 (~$9.2 million): BIPs 76–78 enabled contract upgrades to seize vault tokens still held in the attacker's address and return them token-for-token, covering an additional 38% of victims. Tranche 3 (~$121 million): The largest and most complex tranche, covering the top 10 victims who represented the majority of losses; proposed solutions included partial immediate compensation weighted against long-term payback mechanisms via vault revenue. A subsequent proposal (BIP 103, February 2024) allocated an additional 1 million BADGER (~$3.5 million) to a continuation restitution program running for 12 months, indicating the process extended at least through 2024–2025. A later governance proposal to allow remBADGER holders to participate in a new restitution pool failed to reach quorum as of March 2025.","heading":"Restitution Plan and DAO Governance","severity":"high","sources":[{"credibility":1,"name":"After $130M Hack, Badger's Restitution Plan Tests Limits of DAO Governance — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2021/12/16/after-130m-hack-badgers-restitution-plan-tests-limits-of-dao-governance"},{"credibility":2,"name":"BadgerDAO reveals cause behind exploit, details recovery plan — AMBCrypto","type":"news_article","url":"https://ambcrypto.com/badgerdao-reveals-cause-behind-exploit-details-recovery-plan/"},{"credibility":2,"name":"BIP 79: Restore Governance Tokens — BadgerDAO Forum","type":"official","url":"https://forum.badger.finance/t/bip-79-restore-governance-tokens/5216"},{"credibility":2,"name":"Restitution 2.0 — BadgerDAO Forum","type":"official","url":"https://forum.badger.finance/t/restitution-2-0/6256"}]},{"content":"The BadgerDAO exploit became a widely cited case study in DeFi front-end security. Because the attack exploited web2 infrastructure rather than on-chain logic, standard smart contract audits would not have detected the vulnerability. The incident highlighted risks in API key management, the absence of multi-factor authentication on developer cloud accounts, and the danger of third-party script injection into DeFi interfaces. Microsoft and the Forta Network subsequently collaborated to build detection bots capable of identifying the 'ice phishing' approval pattern — an EOA granted approvals across multiple ERC-20 contracts — and alerting users before funds are drained. Revoke.cash maintains a public record of the exploit and offers users a tool to check and revoke malicious approvals from that event. The hack was ranked among the five largest DeFi exploits of 2021.","heading":"Security Lessons and Industry Impact","severity":"medium","sources":[{"credibility":1,"name":"'Ice Phishing' on the Blockchain — Microsoft Security Blog","type":"research","url":"https://www.microsoft.com/en-us/security/blog/2022/02/16/ice-phishing-on-the-blockchain/"},{"credibility":2,"name":"How to Derail a 120-Million-Dollar Hack — Forta Network","type":"research","url":"https://forta.org/blog/how-to-derail-a-120-million-dollar-hack"},{"credibility":2,"name":"2021 BadgerDAO Frontend Hack: Check If You're Affected — Revoke.cash","type":"research","url":"https://revoke.cash/exploits/badger"}]},{"content":"BadgerDAO was launched in September 2020 by Chris Spadafora, Ameer Rosic, Albert Castellana, and Alberto Cevallos, with a mainnet launch on December 3, 2020. The protocol's stated mission was to bring tokenized Bitcoin into Ethereum-based DeFi through yield-generating vaults. In March 2021, BadgerDAO received a $21 million direct investment from venture capital firms into its treasury, coinciding with the protocol exceeding $1 billion in total value locked. At the time of the exploit in December 2021, the protocol was a significant participant in the Bitcoin-on-Ethereum DeFi ecosystem. The exploit caused a severe collapse in TVL and BADGER token price. Founder Spadafora later announced eBTC, a decentralized Bitcoin product powered by Ethereum staking, in February 2023.","heading":"BadgerDAO Protocol Background","severity":"low","sources":[{"credibility":2,"name":"BadgerDAO — IQ.wiki","type":"other","url":"https://iq.wiki/wiki/badgerdao"},{"credibility":2,"name":"Chris Spadafora — IQ.wiki","type":"other","url":"https://iq.wiki/wiki/chris-spadafora"},{"credibility":2,"name":"What is Badger DAO? — Kraken","type":"other","url":"https://www.kraken.com/learn/what-is-badger-dao"}]}],"sources_used":[{"credibility":1,"name":"BadgerDAO Reveals Details of How It Was Hacked for $120M — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2021/12/10/badgerdao-reveals-details-of-how-it-was-hacked-for-120m"},{"credibility":1,"name":"Badger DAO Protocol Suffers $120M Exploit — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2021/12/02/badger-dao-protocol-suffers-10m-exploit"},{"credibility":1,"name":"After $130M Hack, Badger's Restitution Plan Tests Limits of DAO Governance — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2021/12/16/after-130m-hack-badgers-restitution-plan-tests-limits-of-dao-governance"},{"credibility":1,"name":"DeFi Platform BadgerDAO Says Cloudflare Flaw Led to $130 Million Crypto Heist — Bloomberg","type":"news_article","url":"https://www.bloomberg.com/news/articles/2021-12-10/badgerdao-says-cloudflare-flaw-led-to-130-million-heist"},{"credibility":1,"name":"'Ice Phishing' on the Blockchain — Microsoft Security Blog","type":"research","url":"https://www.microsoft.com/en-us/security/blog/2022/02/16/ice-phishing-on-the-blockchain/"},{"credibility":1,"name":"DeFi protocol BadgerDAO exploited for $120 million in front-end attack — The Block","type":"news_article","url":"https://www.theblock.co/post/126072/defi-protocol-badgerdao-exploited-for-120-million-in-front-end-attack"},{"credibility":2,"name":"Bitcoin DeFi Project BadgerDAO Hacked for $120M — Decrypt","type":"news_article","url":"https://decrypt.co/87415/bitcoin-defi-project-badgerdao-hacked-120m"},{"credibility":2,"name":"Explained: The BadgerDAO Hack (December 2021) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-badgerdao-hack-december-2021"},{"credibility":2,"name":"Behind The Scenes of The BadgerDAO Hack — Chainalysis Podcast Ep. 6","type":"research","url":"https://www.chainalysis.com/blog/chainalysis-podcast-episode-6-badgerdao-hack/"},{"credibility":2,"name":"TRM Investigates: BadgerDAO DeFi Protocol Hacked — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/trm-investigates-badgerdao-defi-protocol-hacked"},{"credibility":2,"name":"Dec 2021 — BadgerDAO Malicious Code Injected — Quadriga Initiative Case Study","type":"research","url":"https://www.quadrigainitiative.com/casestudy/badgerdaomaliciouscodeinjected.php"},{"credibility":2,"name":"How to Derail a 120-Million-Dollar Hack — Forta Network","type":"research","url":"https://forta.org/blog/how-to-derail-a-120-million-dollar-hack"},{"credibility":2,"name":"Celsius Network Reportedly Lost $50 Million in the $120 Million BadgerDAO Hack — CryptoPotato","type":"news_article","url":"https://cryptopotato.com/celsius-network-reportedly-lost-50-million-in-the-120-million-badgerdao-hack/"},{"credibility":2,"name":"BadgerDAO reveals cause behind exploit, details recovery plan — AMBCrypto","type":"news_article","url":"https://ambcrypto.com/badgerdao-reveals-cause-behind-exploit-details-recovery-plan/"},{"credibility":2,"name":"2021 BadgerDAO Frontend Hack: Check If You're Affected — Revoke.cash","type":"other","url":"https://revoke.cash/exploits/badger"},{"credibility":2,"name":"BIP 79: Restore Governance Tokens — BadgerDAO Forum","type":"official","url":"https://forum.badger.finance/t/bip-79-restore-governance-tokens/5216"},{"credibility":2,"name":"Restitution 2.0 — BadgerDAO Forum","type":"official","url":"https://forum.badger.finance/t/restitution-2-0/6256"},{"credibility":2,"name":"BIP 103 — Continue Restitution — BadgerDAO Forum","type":"official","url":"https://forum.badger.finance/t/bip-103-continue-restitution/6141"},{"credibility":2,"name":"BadgerDAO — IQ.wiki","type":"other","url":"https://iq.wiki/wiki/badgerdao"},{"credibility":2,"name":"Chris Spadafora — IQ.wiki","type":"other","url":"https://iq.wiki/wiki/chris-spadafora"},{"credibility":2,"name":"Hackers Steal $119M From 'Web3' Crypto Project With Old School Attack — Vice","type":"news_article","url":"https://www.vice.com/en/article/hackers-steal-dollar119m-from-web3-crypto-project-with-old-school-attack/"}],"summary":"In December 2021, BadgerDAO suffered one of the largest DeFi exploits of that year when an attacker used a compromised Cloudflare API key to inject malicious scripts into the protocol's front-end, tricking users into granting unlimited ERC-20 token approvals. Approximately $120–130 million in Bitcoin-pegged and other tokens were drained from roughly 500 user wallets, with Celsius Network reportedly the single largest victim at approximately $50–55 million. BadgerDAO subsequently engaged Mandiant and Chainalysis for forensic investigation, coordinated with U.S. and Canadian law enforcement, and initiated a multi-tranche governance-driven restitution plan that remained ongoing as of 2025.","timeline":[{"date":"2020-12-03","event":"BadgerDAO mainnet launches, offering Bitcoin yield vaults on Ethereum.","source":"IQ.wiki — BadgerDAO","source_url":"https://iq.wiki/wiki/badgerdao"},{"date":"2021-03-01","event":"BadgerDAO receives $21 million in VC investment and surpasses $1 billion in TVL.","source":"IQ.wiki — BadgerDAO","source_url":"https://iq.wiki/wiki/badgerdao"},{"date":"2021-08-01","event":"Unauthorized accounts created on Cloudflare without email verification, obtaining Global API keys without BadgerDAO engineers' knowledge.","source":"CoinDesk — BadgerDAO Reveals Details of How It Was Hacked for $120M","source_url":"https://www.coindesk.com/business/2021/12/10/badgerdao-reveals-details-of-how-it-was-hacked-for-120m"},{"date":"2021-11-10","event":"Attacker begins injecting malicious scripts via Cloudflare Workers into app.badger.com using compromised API key.","source":"Quadriga Initiative Case Study","source_url":"https://www.quadrigainitiative.com/casestudy/badgerdaomaliciouscodeinjected.php"},{"date":"2021-11-20","event":"First on-chain malicious ERC-20 approval recorded; attacker begins silently accumulating token spend authorizations.","source":"Quadriga Initiative Case Study","source_url":"https://www.quadrigainitiative.com/casestudy/badgerdaomaliciouscodeinjected.php"},{"date":"2021-12-02","event":"Bulk drain begins at ~12:48 AM UTC. Approximately 2,100 BTC-equivalent tokens and 151 ETH drained from ~500 wallets. Community raises alarm; BadgerDAO team begins pausing contracts.","source":"DeFi protocol BadgerDAO exploited for $120 million in front-end attack — The Block","source_url":"https://www.theblock.co/post/126072/defi-protocol-badgerdao-exploited-for-120-million-in-front-end-attack"},{"date":"2021-12-02","event":"Most BadgerDAO vaults paused by approximately 3:30 AM UTC; last malicious withdrawal occurs at 4:57 AM UTC.","source":"Quadriga Initiative Case Study","source_url":"https://www.quadrigainitiative.com/casestudy/badgerdaomaliciouscodeinjected.php"},{"date":"2021-12-10","event":"BadgerDAO and Mandiant publish technical post-mortem identifying Cloudflare API key compromise as root cause.","source":"BadgerDAO Reveals Details of How It Was Hacked for $120M — CoinDesk","source_url":"https://www.coindesk.com/business/2021/12/10/badgerdao-reveals-details-of-how-it-was-hacked-for-120m"},{"date":"2021-12-16","event":"BadgerDAO presents three-tranche restitution plan; governance proposals BIP-76 through BIP-80 published.","source":"After $130M Hack, Badger's Restitution Plan Tests Limits of DAO Governance — CoinDesk","source_url":"https://www.coindesk.com/tech/2021/12/16/after-130m-hack-badgers-restitution-plan-tests-limits-of-dao-governance"},{"date":"2022-02-16","event":"Microsoft Security Blog publishes analysis of BadgerDAO attack as a case study of 'ice phishing,' a novel front-end approval attack pattern.","source":"Ice Phishing on the Blockchain — Microsoft Security Blog","source_url":"https://www.microsoft.com/en-us/security/blog/2022/02/16/ice-phishing-on-the-blockchain/"},{"date":"2023-02-23","event":"BadgerDAO founder Chris Spadafora announces eBTC, a new decentralized Bitcoin product powered by Ethereum staking.","source":"Chris Spadafora — IQ.wiki","source_url":"https://iq.wiki/wiki/chris-spadafora"},{"date":"2024-02-10","event":"BIP 103 proposes continuation of restitution program with additional 1 million BADGER (~$3.5 million) allocation for 12 further months.","source":"BIP 103 — Continue Restitution — BadgerDAO Forum","source_url":"https://forum.badger.finance/t/bip-103-continue-restitution/6141"},{"date":"2025-03-25","event":"Governance proposal to allow remBADGER holders to participate in a new restitution pool fails to reach quorum.","source":"Restitution 2.0 — BadgerDAO Forum","source_url":"https://forum.badger.finance/t/restitution-2-0/6256"}]},"v":1}