Yesterday, BadgerDAO users had $120 million stolen because the platform was hacked. The current theory is that the hackers injected malicious scripts using Cloudflare. These scripts modified the transactions made by the website to redirect funds to the hacker’s wallet.
Here are some tips for avoiding these hacks:
Always Review The Transaction Details
Below, you can see a sample MetaMask transaction confirmation dialog. Note that the dialog shows the network (Ethereum Mainnet) and the action (GET REWARD). It also shows the total amount of the transaction – .014 ETH
Always review these transaction details to confirm the action is what you expected.
Here is another confirmation dialog:
Note that this confirmation is on the Binance Smart Chain, the action is DEPOSIT, and the total amount is .0019 BNB.
Always review the chain, the action, and the amount.
Remember that Defi is just smart contract code, and you can always see the method being executed and the parameters passed to those methods.
Use the MetaMask Blacklist
You may not use MetaMask for DeFi. Even if you don’t, you should install the extension because it has a built-in phishing blacklist. This blacklist protects against many scams, such as malicious Bitcoin paper wallet sites – not just Ethereum scams.
Use a Hardware Wallet with DeFi
Don’t use a browser extension like Metamask to store large sums of money. You can use a Trezor or Ledger wallet with Metamask for DeFi.
Remember that all the software on your computer may have access to your Metamask datastore.
If you reuse your Metamask password, it’s trivial to steal your keys.
Confirm the Contract ID on CoinMarketCap or GoinGecko
Anyone can create a token on ETH/BSC/AVAX. A common scam is counterfeit copies of real coins.
On Uniswap, you can use the default token list:
Or specify custom tokens:
Malicious exchanges and token sites may prompt you to add fake contracts to Uniswap or other Dex’s.
Be aware that you can name a token anything you want on ETH/BSC/AVAX and other chains.
Double check that you’re buying a real token by checking on https://coinmarketcap.com/
Click the MetaMask icon to add the contract to MetaMask.
Separate Trading Wallets from Cold Storage Wallets
If you plan to leave a lot of crypto in cold storage and use a fraction for trading, consider setting up a separate passphrase wallet just for DeFi. This limits your exposure in case of hacks.
In the BadgerDAO hack, a single wBTC address was emptied of 896 Bitcoin. I’m guessing that not all 896 BTC were intended to be used with BadgerDAO. The owner of those coins probably used a shared wallet for multiple platforms. If they limited their balance of the wallet to those intended to BadgerDAO, they could have minimized the loss.
MetaMask makes it easy to switch between different hidden wallets: