BadgerDAO front-end attack
A DeFi protocol whose users lost about $120M on December 2, 2021 — not via a smart-contract bug but a front-end attack: a compromised Cloudflare API key let attackers inject a script that tricked users into approving malicious token allowances, then drained their wallets.
Also known as: BadgerDAO, Badger DAO, BADGER
Summary
BadgerDAO is a DeFi protocol focused on tokenized Bitcoin. On December 2, 2021, attackers stole about $120 million from its users — one of the largest DeFi losses to that point — without exploiting the protocol's smart contracts. [1][2]
Method
The attackers obtained a compromised Cloudflare API key for the project and used it to inject a malicious script into the BadgerDAO website. When users transacted, the script inserted requests for unlimited token spending approvals to an attacker-controlled address; once granted, the attacker drained tokens from those wallets. About 500 wallets approved the malicious allowances. The Badger team halted further theft by pausing contract calls; deposits in the smart contracts themselves were unaffected. [1][2]
Bracketed numbers refer to the numbered sources listed below.
Linked scams & cases
- Curve Finance (Vyper exploit)RelatedProjectsA July 30, 2023 incident in which a compiler bug in older Vyper versions broke reentrancy protection, letting attackers drain several Curve pools and dependent protocols (Alchemix, JPEG'd, Metronome). Gross losses were ~$70M; white-hats and returns cut net losses to about $52M.
- KyberSwapRelatedProjectsA decentralized exchange drained of about $48M in November 2023 via a complex exploit of its Elastic concentrated-liquidity pools. The attacker then posted an on-chain 'treaty' demanding full executive control of the Kyber company in exchange for the funds.
- Wintermute hack
People & entities involved
Sources (2)
See also
- Loci (LOCIcoin)TokensA 2017–2018 ICO for 'LOCIcoin' tied to the InnVenn IP-search platform. The SEC charged Loci and CEO John Wise with fraud for raising $7.6M on false claims about revenue, headcount, and user base; Wise also misused investor funds. Settled with a $7.6M penalty and an officer/director bar.
- Blockchain Terminal (BCT)TokensA 2017–2018 ICO (BCT tokens, ~$30M) for a 'Blockchain Terminal' — a Bloomberg-style crypto trading terminal. The SEC and DOJ said convicted ex-hedge-funder Boaz Manor secretly ran it under a fake identity ('Shaun MacDonald'), using associate Edith Pardo as a front, and lied about the product's adoption.
- Crowd Machine (CMCT)Tokens
This page was last updated on Jun 8, 2026. View revision history.