• BadgerDAO smart contracts remain paused following website exploit that cost users $120 million, as community pursues investigation and reaches out to the thief in hopes of striking a deal
  • BitMart Exchange suffered an even larger loss after two hot wallet private keys were compromised

A bitcoin-focused DeFi protocol, BadgerDAO, had its web server compromised for roughly two weeks, allowing an unknown attacker to surreptitiously steal millions of dollars worth of digital assets from users of the platform, Blockworks reported.

On Sunday, representatives of the DAO attempted to contact the party responsible for the theft using a message published in a transaction on the Ethereum network and on Twitter:

According to a website set up to provide updates on the case, the group has enlisted blockchain forensic analysis platform Chainalysis and cybersecity firm Mandiant, to help with the investigation. The latest update said that BadgerDAO’s DeFi services remain temporarily shut down:

“Smart Contracts have not yet been reactivated and therefore users remain unable to deposit, claim rewards, or withdraw from either the Badger app (app.badger.com) or at the smart contract level. Badger is working to ensure that the smart contracts can be safely reactivated without further risk to funds.”

The system has a “Guardian” role, that has permission to pause the DeFi strategies employed by the protocol, which is “intended to be a trusted party that can act fast in emergency situations,” according to the Badger.com documentation. The Guardian is controlled by a developer multi-signature wallet, whose five members are elected by the DAO’s BADGER token holders. Any single member of the multisig can pause the smart contracts, but it requires three out of the five signers to reactivate them.

Security company PeckShield reports the total loss to BadgerDAO’s users at $120.3 million, based primarily on the theft of 2,100 BTC and 151 ETH. The largest affected user of the protocol has been linked to cryptocurrency lending platform Celsius.

BitMart Exchange loses $200 million in breach

Sheldon Xia, founder and CEO of the centralized exchange BitMart.com, revealed on Sunday that two of the exchange’s hot wallets were compromised in a security breach that saw upwards of $150 million in assets disappear on the Ethereum and Binance Smart Chain networks.

Xia said that an exchange private key was used to withdraw the funds, and pledged via Twitter, to make users whole.

“BitMart will use our own funding to cover the incident and compensate affected users. We are also talking to multiple project teams to confirm the most reasonable solutions such as token swaps. No user assets will be harmed.”

PeckShield, which initially pointed out a pattern of suspicious transactions early Sunday morning, has estimated the loss, comprised of a variety of small cap tokens, as totaling $200 million.

Get the day’s top crypto news and insights delivered to your inbox every evening. Subscribe to Blockworks’ free newsletter now.

  • Macauley was an editor and content creator in the professional chess world for 14 years, prior to joining Blockworks. At Bucerius Law School (Master in Law and Business, 2020) he researched stablecoins, decentralized finance and central bank digital currencies. He also holds an MA in Film Studies; film credits include Associate Producer of the 2016 Netflix feature documentary, "Magnus" about World Chess Champion Magnus Carlsen. He is based in Germany. Contact Macauley via email at [email protected] or on Twitter @yeluacaM