All – Some of you may have heard about the BadgerDAO hack this week (over $100M stolen). There are some good lessons out personal security that I HIGHLY recommend everyone understands. I’ve put some resources throughout the article.
What makes the BadgerDAO incident scary is they attacked the INDIVIDUAL user’s wallet and not the platform or smart contract(s). That means we as individuals need to educate ourselves and DeFi responsibly instead of just hoping the code is sound. I personally was not aware of this attack vector and would’ve been susceptible had I been involved. It has made me change how I interact and use hardware wallets in DeFi.
Essentially, if you’ve been in DeFi long enough it’s very likely that you’ve unknowingly granted unlimited access for specific smart contracts. That means these contracts can retrieve tokens directly from your wallet at a later date without a new signature! AND even if it’s on your hardware wallet. Unfortunately this is a necessary evil for many DeFi applications to work. The attacker for BadgerDAO was able to hack the front-end and prompt users to grant unrestricted access to their wallets. Most users didn’t read or understand what they were signing for so they just approved the transaction and went on their merry way. Days later after they’ve granted access their wallets (including if they used a hardware wallet) were liquidated.
This article describes the attack well and how to prevent against it: How to revoke permissions - RugDoc Wiki.
Unfortunately there is not yet an easy way to see what permissions if any have been granted on RSK since none of the services have built out RSK compatibility yet. One of the services DeBank allows you to check what smart contracts you’ve given permission to and then revoke those permissions. I’ve messaged DeBank on Twitter and Discord to see if they would accept a Sovryn grant to build this service for RSK, so fingers crossed they will add.
Regardless, in the meantime I’d recommend if you operate on any other chains aside from RSK you plug in to DeBank or another similar app and see who you’ve given access to then disable it.
Moving forward, some general safety tips:
- Always review what you’re signing when approving a transaction
- If and when available revoke access to unknown smart contracts or cap the amount of any given token they can access.
- Alternatively use two separate wallets. One that interacts with the DeFi apps then a separate that you store funds on which has never touched a middle-ware solution like MetaMask. Please note simply using a hardware wallet with MetaMask is insufficient.
Hope that helps, stay safe!