BadgerDAO, a DeFi protocol allowing users to earn yield on Bitcoin via Ethereum-based vaults, suffered a frontend supply chain attack beginning approximately November 10, 2021, with the main theft occurring December 2, 2021, resulting in approximately $120 million stolen. Attackers compromised a Cloudflare Workers API key used by BadgerDAO’s frontend, and injected malicious scripts that intercepted users’ Web3 wallet interactions. The injected code prompted victims — when they visited the BadgerDAO website — to approve malicious ERC-20 ’transferFrom’ allowances to attacker-controlled addresses. Once approvals were granted, attackers waited and then swept victims’ tokens in a series of large transactions. Stolen assets included various Bitcoin wrapper tokens (ibBTC, renBTC) and other DeFi tokens. The attack demonstrated a critical frontend security risk: even when the underlying smart contracts are sound, a compromised frontend can drain user funds by abusing the ERC-20 approval mechanism. BadgerDAO paused all smart contracts shortly after the theft was discovered but only after the majority of funds had been stolen. The FBI and blockchain intelligence firms (Chainalysis) assisted with the investigation. Some stolen funds were later recovered through sanctions and law enforcement coordination.