Individual Security Measures - BadgerDAO Attack

All – Some of you may have heard about the BadgerDAO hack this week (over $100M stolen). There are some good lessons out personal security that I HIGHLY recommend everyone understands. I’ve put some resources throughout the article.

What makes the BadgerDAO incident scary is they attacked the INDIVIDUAL user’s wallet and not the platform or smart contract(s). That means we as individuals need to educate ourselves and DeFi responsibly instead of just hoping the code is sound. I personally was not aware of this attack vector and would’ve been susceptible had I been involved. It has made me change how I interact and use hardware wallets in DeFi.

Essentially, if you’ve been in DeFi long enough it’s very likely that you’ve unknowingly granted unlimited access for specific smart contracts. That means these contracts can retrieve tokens directly from your wallet at a later date without a new signature! AND even if it’s on your hardware wallet. Unfortunately this is a necessary evil for many DeFi applications to work. The attacker for BadgerDAO was able to hack the front-end and prompt users to grant unrestricted access to their wallets. Most users didn’t read or understand what they were signing for so they just approved the transaction and went on their merry way. Days later after they’ve granted access their wallets (including if they used a hardware wallet) were liquidated.

This article describes the attack well and how to prevent against it: How to revoke permissions - RugDoc Wiki.

Unfortunately there is not yet an easy way to see what permissions if any have been granted on RSK since none of the services have built out RSK compatibility yet. One of the services DeBank allows you to check what smart contracts you’ve given permission to and then revoke those permissions. I’ve messaged DeBank on Twitter and Discord to see if they would accept a Sovryn grant to build this service for RSK, so fingers crossed they will add.

Regardless, in the meantime I’d recommend if you operate on any other chains aside from RSK you plug in to DeBank or another similar app and see who you’ve given access to then disable it.

Moving forward, some general safety tips:

• Always review what you’re signing when approving a transaction
• If and when available revoke access to unknown smart contracts or cap the amount of any given token they can access.
• Alternatively use two separate wallets. One that interacts with the DeFi apps then a separate that you store funds on which has never touched a middle-ware solution like MetaMask. Please note simply using a hardware wallet with MetaMask is insufficient.

Hope that helps, stay safe!

Good initiative! https://v2.unrekt.net/, https://revoke.cash/, https://github.com/James-Sangalli/eth-allowance might be other projects to reach out to about adding RSK / building an RSK version.

Awesome thanks. Posted on Unrekt TG and DM’d creator of Revoke.cash. Sangalli on first glance seems hard to get ahold of. We’ll see if we get any initial leads. Thanks!

Otherwise if sovryn is prepared to fund its community members, we could build it ourself.
I’d be interested in building such tool. I also think I have the skills needed

This is really useful information. Excellent. Can’t thank you enough for the above posts. Thank you. Everyone should know about this.

I think the team has indicated they would be open to doing a bounty/grant for this. So I imagine that wouldn’t be an issue if you want to build!

I’ve spoken with the revoke.cash dev and he said. The public nodes have restriction on getLog queries. So using the current known public nodes they’re unable to make it work.

As an alternative he said we could possibly run it on our side as long as http://revoke.cash/ can connect to a node that doesn’t have any limits on historic logs. The only thing to figure out there is how to set up the authentication to the private node properly. So do we have someone who is running / is willing to run such a node and also has some idea for authentication?

https://badger.com/news/badger-security-upgrades

Are you saying there is no way to securely do things like yield farm or is there some way to use a second hardware wallet to keep the deposited assets safe?

I’m saying if you want to be ultra secure simply keeping all funds on a hardware wallet may be insufficient because if you’ve used that HWW in a DeFi application it’s possible you granted a contract the ability to drain funds directly from your wallet.

So, you can set it up like a checking and savings account. You use one hardware wallet to interact with DeFi protocols. Then separately if you have funds not invested in yield farm or DeFi, then keep it on a separate HWW that is more or less air-gapped and has never interacted with any contracts or applications.