A disappointing week of exploits has put a temporary grim cloud over the end of 2021, with BadgerDAO and Huobi-listed MonoX suffering major losses.
More than $150 million has been lost this week in separate security breaches at DeFi projects MonoX and BadgerDAO.
Multi-chain decentralized exchange (DEX) MonoX (MONO) suffered a cyber attack on Nov. 30 leading to about $31 million in losses. BadgerDAO (BADGER) suffered a front-end attack that was discovered on Dec. 2 with estimates of Badger’s losses hitting more than $120 million.
The MonoX DEX platform suffered a single attack on Nov. 30. In this attack, a bug in the smart contract allowed for a discrepancy to exist between prices of assets, when manually changed.
Rekt News explained that hackers were able to inflate the price of MONO via the smart contract, then buy up other assets from the protocol with MONO.
“The hacker created a loop in which the price of tokenOut would overwrite the price of tokenIn, pumping the price of MONO over the course of many ‘swaps.’”
The MonoX team confirmed as much in a Nov. 30 tweet. In a postmortem published on Dec. 2, total losses were confirmed at about $31 million. The team added:
“Days like yesterday are horrible, there is no sugar coating the harsh reality of a contract being exploited and people losing money. Our supporters put their faith in a new project like us, and yesterday we let them down.”
MONO listed on Huobi only five days before the hack on MonoX.
The Badger security breach was an ongoing threat to users interacting with Badger DAO’s platform rather than a single large exploit.
Discord users began reporting unusual spend requests from the Badger platform and alerted admins on social media and on Discord as early as Nov. 27.
Admin Blackbear responded that the request was unusual, but likely caused by a benign bug in the front-end user interface (UI).
So someone on the $BADGER discord flagged the Increase Allowance exploit on the Badger UI a few days ago. Sadly, the team brushed it aside.
— 0xMoves (@0xMoves) December 2, 2021
The bug in the UI turned out to be the malicious attacker attempting to steal funds from that user’s withdrawal. The same tactic would be used on random users for days, or even weeks before it was discovered as a security breach.
Related: Hackers can use compromised Google Cloud accounts to install mining software in under 30 seconds: Report
At time of writing, losses from the Badger attack amounted to over $120 million, including 2078.76 BTC, 30.27 ibBTC, and 151.32 ETH, according to blockchain analytics company PeckShield. The Badger team has been investigating the issue and have paused all smart contracts on the protocol to avoid any further losses.