Another month, another DeFi hack. It’s now BadgerDAO’s turn, with the bitcoin-bridging DeFi protocol suffering an exploit that resulted in around $120 million in funds being withdrawn without authorization. The hack is yet another blow to DeFi’s security reputation, particularly at a time when other factors are already creating headwinds for the broader cryptocurrency market.
In this case, BadgerDAO’s troubles stem not from its own protocols, but from its frontend UI, which is hosted by the centralized provider Cloudflare. According to the BadgerDAO team, a malicious script was inserted into their Cloudflare API key, with hackers then able to use this script to intercept transactions and transfer funds. BadgerDAO has even tried directly pleading with the responsible parties to restore the cryptocurrencies taken because of the exploit.
The BadgerDAO hack highlights that one of the biggest security vulnerabilities affecting supposedly decentralized applications is their reliance on centralized web hosting. Aware of this deficiency, blockchain protocols such as the Internet Computer aim to provide a blockchain-based alternative to the web that’s decentralized on the backend, where data is hosted and queried, as well as on the frontend, where users interact with a website.
“The BadgerDao attack highlights the dangers of hosting on traditional servers that can be intercepted by hackers as opposed to a Web3 blockchain,” says Max Chamberlin, who leads product development and strategy for the InfinitySwap trading protocol. “Any attacker who can control the server can spoof a front-end website that appears to be an exchange like BadgerDao or Uniswap, but in reality is an attacker’s snare. Websites on the Internet Computer, in contrast, can be built in a way where the core logic is unchanging, thereby reducing the attack surface for hackers.”
Web3 vs. Web 2.0
It’s ironic that much of the public perceives blockchain technology as risky, while familiar Web 2.0 technology is regarded as tried-and-tested against security threats. In fact, the BadgerDAO hack illustrates how the opposite is often the case, where Web 2.0 technology provides the attack vector.
The recent exploit didn’t only harm BadgerDAO’s reputation: roughly $54 million in bitcoin stolen during the hack belonged to the Celsius Network lending protocol. This reflects how the cryptocurrency sector as a whole can be victimized by its continuing reliance on centralized providers like Cloudflare and Amazon Web Services. Even an AWS outage can cripple a decentralized exchange, as recently happened to dYdX.
BadgerDAO is far from alone among dapps in using a big corporate provider for its frontend user interface. Uniswap, SushiSwap, Compound, and other leading DeFi platforms similarly rely on the centralized cloud for their frontend interfaces. This dependence exposes numerous DeFi platforms to various risks.
But blockchain technology and the principles of decentralization can help reduce crypto’s attack surface and prevent BadgerDAO-style hacks by giving dapps an alternative to centralized cloud-based Web 2.0 services.
This was partly the inspiration behind the Internet Computer blockchain, a “world computer” that is optimized for Web3. Developed by the not-for-profit DFINITY Foundation, the Internet Computer is conceived as a blockchain development tech stack for dapps, dispensing with traditional IT like firewalls and cloud providers.
In addition to processing transactions and running smart contracts, the Internet Computer provides the decentralized web infrastructure on which dapps and interfaces run. It uses a distributed network of subnets, which are essentially mini-blockchains, to process the data from “canister” smart contracts needed to host and operate websites and web-based services. The blockchain’s integration of the WebAssembly standard allows the smart contract code to run directly in the browser.
By running web services and dapps solely on a decentralized network, without needing to call on Amazon or Cloudflare to host them, this removes the possibility that a bad actor could discover a bug or vulnerability in centralized services, or in the APIs that a dapp uses to communicate with those services.
“With the advent of Chain Key cryptography, which is essentially a distributed cryptographic key signing service, we have added security for Bitcoin on the Internet Computer,” notes Chamberlin. “No longer do we need hot wallets running on hackable servers to guard your assets — everything can run directly from a provably secure blockchain. At InfinitySwap, we’re excited to see how BTC will migrate to the Internet Computer as a result of its security properties.”
The principle of decentralizing dapps not only where their data is hosted but also where users interact with them is simple, and the security advantages are clear. Blockchain-based services running directly over the web can ultimately help eliminate costly Web 2.0 vulnerabilities in DeFi while protecting and growing the crypto ecosystem as a whole.