Dirty Bubble Media

Share this post
An inexplicable error cost Celsius Network $22 million in restitution from the BadgerDAO hack
dirtybubblemedia.substack.com

An inexplicable error cost Celsius Network $22 million in restitution from the BadgerDAO hack

Leave it to the professionals: An error that shouldn't be possible if Celsius really uses Fireblocks...

Dirty Bubble Media
Jun 9
20
2
Share this post
An inexplicable error cost Celsius Network $22 million in restitution from the BadgerDAO hack
dirtybubblemedia.substack.com
Leave it to the professionals.

On December 2nd of 2021, the decentralized autonomous organization (DAO) BadgerDAO was exploited by a phishing attack. Some 2100 BTC and 151 Ether were stolen in the attack. The largest single victim of this attack was the centralized crypto lending platform Celsius Network, which lost 896 BTC.

To compensate victims for their losses, the DAO implemented a restitution plan. First, Badger disbursed Bitcoin from their multisig out to the victims; Celsius received approximately 90 Bitcoin from this payout. Next, Badger created the “remBadger” token. Holders of the token were guaranteed a payout in Badger tokens over the next two years that would cover the remainder of the loss (assuming Badger price remained around $60). There was only one requirement: The remBadger must remain within the Badger vault. If the remBadger was withdrawn, all future restitution payments would be forfeit. Badger even included a helpful warning screen that would pop up in case someone attempted to withdraw their remBadger:

Idiot-proof, right?

Inexplicably, on March 18, 2022, Celsius Network withdrew all 901 of its allotted remBadger, worth approximately $2.1 million at the time of the transaction. Realizing their mistake, the company attempted to convince the Badger team to allow them to re-deposit in violation of the rules set forward by the BIP-80 resolution. The team informed them they would need to complete a proposal and have the community vote, per the DAO rules. A person claiming to be a representative of “the affected company” in the Badger Discord group stated that Celsius did not know about these rules. He also stated that this error was “a human error involving one member of the team.” (We will come back to this in a bit).

“We broke the rules, but…”

Celsius put forward proposal BIP-91, which would change the rules to allow them to re-deposit the remBadger:

Our intent was to break the rules. We broke the rules. We now want to change those rules after the fact.

Unfortunately for Celsius Network, the BadgerDAO took the “code is law” ethos of DeFi seriously, and the proposal was voted down 89% to 11%. This means that Celsius Network walked away from BadgerDAO with 89 Bitcoin and approximately $2.1 million in Badger tokens. Using the valuation of Bitcoin today (approximately $30,000), this means Celsius ended up realizing a loss of approximately $22 million.

This loss is concerning for a few reasons:

  • On Twitter and in AMAs, Celsius Network CEO Alex Mashinsky has claimed that Celsius would be fully reimbursed for this loss. Had they continued to hold remBadger per the rules of the DAO, this may have been possible. However, Celsius now must recognize the loss of about 80% of their original position.

    “Close to full recovery” is now recovery of <20%
  • Celsius often brags about its professionalism. Mr. Mashinsky often argues that self-custody of ones’ assets is more risky than entrusting those assets to companies like Celsius. But how professional is it to lose $22 million in one unforced error?

    You hacked yourself, dawg
  • Celsius claims to use Fireblocks. This should make it impossible for a single employee to access and move funds from Celsius wallets and positions. Yet, according to a Celsius representative, this error was the fault of “one member of the team.” Either this was a lie, or Fireblocks was not implemented in this circumstance…

But perhaps we should just leave these issues to the professionals.

2
Share this post
An inexplicable error cost Celsius Network $22 million in restitution from the BadgerDAO hack
dirtybubblemedia.substack.com
2 Comments

Create your profile

0 subscriptions will be displayed on your profile (edit)

Skip for now

Only paid subscribers can comment on this post

Already a paid subscriber? Sign in

Check your email

For your security, we need to re-authenticate you.

Click the link we sent to , or click here to sign in.

Mac
Jun 17

Cheers, you done any work on Ledn? What are your thoughts?

Expand full comment
ReplyCollapse
Blocks Law
Writes Block's Law Jun 13

Excellent work.

Expand full comment
ReplyCollapse
TopNewCommunity

No posts

Ready for more?

© 2022 Dirty Bubble Media
Privacy ∙ Terms ∙ Collection notice
Publish on Substack Get the app
Substack is the home for great writing