On Wednesday, Badger DAO was hacked. It is believed that hackers exploited the Badger.com website, not the protocol. Badger website users reported their browser wallets made additional requests for permissions. Users who granted permission to these additional requests lost their Bitcoin and Ethereum in the hack. Blockchain analytics firm PeckShield estimates the total loss at $120 million in Bitcoin and Ethereum (2,100 BTC and 151 ETH).
Nexus Mutual is the largest DeFi insurance company providing smart contract coverage. Badger purchased coverage for hacks from Nexus Mutual, but this hack is not covered by their policy. Nexus Mutual doesn't cover "front end attacks," which refers to the user interface of a website or mobile app. DeFi insurance covers smart contract hacks and bank runs, but not attacks on the user interface. Hugh Karp explains: "In short, this is an uninsurable event. If it was covered, it would be trivial for anyone to create a fraudulent claim." Most Nexus policies cover smart contract bugs, oracle hacks, and governance attacks.
In response to the hack, Badger paused all smart contracts to prevent withdrawals Wednesday night. Badger tweeted on Friday that it is working with forensics firms Chainalysis and Mandiant to "understand the full scale of the incident and to work towards remedial action." There is still no timeline for reactivating smart contracts. Badger's website has a new banner that reads: "A recent exploit led some BadgerDAO users to approve a malicious contract that resulted in a loss of funds."
Badger investors' BTC and ETH that have not been stolen are now locked up until Badger can fix this issue. Other companies have also been affected by the hack. Celsius, a crypto lender, confirmed that it lost money in the Badger DAO hack. Celsius was quick to point out that this was a "Badger hack," and that Celsius will cover its users losses. Celsius is rumored to have lost 900 BTC ($50 million).