Celsius lost $54 million Bitcoin by using MetaMask for customer funds

On-chain data suggests Celsius Network lost $54 million worth of Bitcoin during last week’s hack on high-yield protocol BadgerDAO, which saw $115 million worth of digital assets taken.

Hackers extracted 896 Wrapped Bitcoin (WBTC) from a MetaMask wallet that a Celsius employee (presumably CEO Alex Mashinsky) was using to interact with BadgerDAO’s website.

Industry insiders were quick to question why it used MetaMask to handle client funds.

Other Twitter users had questions about the hack, too.

“Seems to be a very costly way to generate yield in hindsight,” said one Celsius customer. “Who will be absorbing the losses? Celsius or users?”

Another customer reacted to the incident with sarcasm: “Their business model is great. They let their users take all the risks, and if something goes wrong, well, not our fault.”

Celsius has admitted it lost money during the hack, but has not specified the amount or how the funds will be recovered.

Celsius is simultaneously dealing with several issues:

  • cease and desist orders from multiple state securities regulators,
  • the recent arrest of its chief finance officer Yaron Shalem, charged with fraud, money laundering, and sexual assault,
  • failing to disclose its CFO’s arrest to investors before closing a $750 million funding round,
  • and users reporting difficulty withdrawing funds and concerns about Ponzi-like qualities.
In an AMA on December 3, Mashinsky and Celsius team members addressed the BadgerDAO hack.

Read more: [Celsius scrubs CFO from site after arrest in Hogeg’s crypto Ponzi case]

High yield and ultra-high risk

An analysis of Celsius’ 2020 fiscal year balance sheet showed that CEL tokens made up $1.5 billion of Celsius’ gross assets and, due to other liabilities and payables, accounted for substantially all of the company’s net asset value at that time.

Celsius’ affected address in last week’s hack routinely transacts with an address that contains more than $65 million in tokens on the Ethereum blockchain.

It frequently sends token transactions to an address labeled as Celsius Network: Wallet 5.

On December 2, for instance, it sent 1 million Tether and more than 54,000 Binance USD to Celsius Network: Wallet 5.

BadgerDAO said it retained Chainalysis to track down the stolen funds and is working with law enforcement authorities in the US and Canada.

It’s paused smart contracts on its platform to prevent further theft.

Celsius “immediately shut down the attacker’s access to funds” after they had already stolen $54 million.

Read more: [Celsius chief claims he ‘redistributes wealth’ in face of regulatory pressure]

The hackers exploited the web interface connecting BadgerDAO with users’ wallets.

Members of BadgerDAO’s Discord channel reported that the interface requested additional permissions and then directed users to send tokens to wallets controlled by the hackers.

When asked for comment, Celsius CEO Alex Mashinsky said only that the company would release a statement on Friday.

Crypto insurer Nexus Mutual is also refusing to compensate BadgerDAO and Celsius users, saying their insurance policy does not cover “front end” hacks.

Rampant crime across DeFi

According to an industry report by Elliptic, hackers have stolen over $12 billion from DeFi users between January 1, 2020, and November 9, 2021.

Exploitation of bugs in dApp protocols caused 90% of the losses. Elliptic breaks down those losses down into three categories:

  • Code exploits: $5.5 billion
  • Economic exploits: $5.3 billion
  • Administrative key exploits: $1 billion

According to Elliptic, the top targets for theft due to exploits by the amount of money lost include:

  • Lending: 34%
  • Decentralized Exchanges (DEXs): 17%
  • Asset management: 16%
  • Cross-chain bridges: 13%

Follow us on Twitter for more crypto news.