After the Badger Dao hack everyone should get in the practice of revoking smart contract access on their wallets once their initial use is complete.

Badger Dao was hit almost 2 days ago. From what I understand It was done by breaking into the creators cloudflare account and dropping malicious code onto their site header. It then had the users agree to a malicious contract and drained their wallets.

While not all smart contracts are malicious, duh, there are risks that come with signing these contracts with the ability to TransferFrom your account. Once agreeing to said contract there money can be pulled from that account without further approval. This means 2fa and ledger will not protect you if the contract is malicious. These contracts have you agree to a set limit up to infinite. When agreeing to them you are often able to edit them and see what it is asking for. Some protocols will allow you to change the set amount on the contract, but not all.

Staking and wrapping contracts can be examples of these contracts with transfer from ability. They are popular on OHM forks.

When it comes to rebasing in an OHM fork protocol like these you should not need to keep the smart contract access to your accounts active to continue receiving said rebases. I have tested this with multiple account on Wonderland and am still receiving rebases on my wrapped memo.

It doesn't matter how much faith or trust or whatever you have in a protocol or it's owners. There are still risks involved. Check your approved contracts every time you log out of your wallet just to be sure. There's no reason to leave a contract with such abilities just sitting open on your account after the initial use.

Tip: connecting a wallet is different than signing a contract. Said contract will require a transaction fee and be visible on the chain. Connecting a wallet simply allows a site to see you address and give you information relevant to it.

Do yourself a favor and use a token allowance tracker to see what contracts are currently approved. Revoke access to anything that has completed it's use. Revoking access essentially approves a 0 spend limit. This will cost you a transaction fee. When you need to move the money around again the protocol will ask you to sign the contract once more.

There are plenty of token allowance trackers. Make sure to use one that works with the chains you have contracts on. Snowtrace has one for Avalanche. DeBank has one for quite a few chains. Use one you trust.

If you would like more info on this here is a good medium article on the TransferFrom issue with these defi 2.0 sites.

https://brogna.medium.com/token-allowance-dc553f7d38b3

If everyone in the BadgerDAO was in the practice of checking approved contracts after they were done working with their crypto the vast majority of users would have been safe. They would have seen a third contract and been able to identify it as malicious. This script was injected on Nov 10. The scammers waited until critical mass before draining. If the users had checked their contracts and removed them after using the site then said contracts would not have had approval to move any of their money when the actual drain hit. It's just good practices.

Good luck out there everyone. It's fucking scary these days. It's the wild west. Be safe.

Apologies for any typos or formatting issues. I'm on mobile.