DeFi projects MonoX and BadgerDAO have both suffered security breaches this week, resulting in losses of more than $150 million.
MonoX (MONO) suffered a cyber attack on Nov. 30 that resulted in approximately $31 million in losses. According to BadgerDAO (BADGER) losses of more than $120 million have been attributed to a front-end attack that was discovered on December 2.
“As Badger engineers investigate this, all smart contracts have been paused to prevent further withdrawals,” the company wrote in a Twitter post. “Our investigation is ongoing and we will release further information as soon as possible.”
MonoX $31 Million Stolen
MonoX DEX platform suffered the attack on November 30th. The bug existed in the smart contract that allowed a disparity to exist between the prices of assets when they were manually modified in this attack.
According to Rekt News, hackers were able to raise the price of MONO via the smart contract and then use MONO to purchase other assets on the network.
“The hacker created a loop in which the price of tokenOut would overwrite the price of tokenIn, pumping the price of MONO over the course of many ‘swaps.'”
“Days like yesterday are horrible, there is no sugar coating the harsh reality of a contract being exploited and people losing money. Our supporters put their faith in a new project like us, and yesterday we let them down.”
MonoX acknowledged the bug and stated on its blog:
The exploit was caused by a smart contract bug that allows the sold and bought token to be the same. In the case of the attack, it was our native MONO token. When a swap was taking place and tokenIn was the same as tokenOut, the transaction was permitted by the contract.
However, Igor Igamberdiev, a Twitter security researcher, decoded the stolen tokens. The hackers allegedly stole:
- 5.7M MATIC ($10.5M)
- 3.9k WETH ($18.2M)
- 36.1 WBTC ($2M)
- 1.2k LINK ($31k)
- 3.1k GHST ($9.1k)
- 5.1M DUCK ($257k)
- 4.1k MIM ($4.1k)
- 274 IMX ($2k)
BadgerDAO $120 Million Stolen
Customers of BadgerDAO on Discord apparently informed admins on November 27th of strange spend requests, In response to the unexpected request, Admin Blackbear said it was most likely due to a minor fault in the front-end interface (UI).
Hackers targeted Ethereum’s protocol at contract address 0x1fcdb04d0c5364fbd92c73ca8af9baa72c269107 to steal $120 million, however BadgerDAO has not yet confirmed the precise amount.
All smart contracts on the site have been halted to prevent additional withdrawals, according to a tweet from the platform.
An analytics and blockchain security firm has broken down the stolen funds as displayed in the screenshot below by PeckShield Inc.