How these two DeFi protocols fell prey to $11 million 'reentrancy attack'

On 15 March, an attacker siphoned over $11 million from two DeFi platforms, Agave and Hundred Finance. It seemed to be a flash mortgage ‘reentrancy assault’ on each protocols on the Gnosis chain as per investigation. Likewise, the platforms halted their contracts to forestall additional injury.

Assessing the injury

Solidity developer and creator of an NFT liquidity protocol app, Shegen selected to focus on the hack in a collection of tweets on 16 March. Surprisingly, this evaluation got here after the aforementioned entity misplaced $225,000 in the identical exploit.

Theres already been just a few good threads already (and a few dangerous ones that spoke too quickly) on the @Agave_lending and @HundredFinance hacks immediately.

Right here’s my evaluation & reflection, after simply having misplaced over $225k from the exploit, and explored what occurred 👇

— Shegen (@shegenerates) March 15, 2022

Her preliminary investigations revealed the assault labored by exploiting a wETH contract operate on Gnosis Chain. It allowed the attacker to proceed borrowing crypto earlier than the apps may calculate the debt, which might forestall additional borrowing. Ergo, the offender carried the stated exploit by borrowing in opposition to the identical collateral they posted till the funds drained from the protocols.

To make issues worse, the funds weren’t protected. ‘They’re just about gone endlessly, however there’s nonetheless hope,’ she added. That stated, the founding father of Gnosis, Martin Koppelmann did tweet to herald some certainity amidst the chaos. Koppelmann asserted,

cannot make any guarantees, and first we must always actually perceive what occurred. However I might usually be supportive of a GnosisDAO proposal that may attempt to forestall customers from loosing funds by e.g. borrowing funds/ investing funds into @Agave_lending

— Martin Köppelmann 🇺🇦 (@koeppelmann) March 15, 2022

After some additional analysis, the attacker allegedly deployed this contract with 3 features; In blocks 21120283 and 21120284, the hacker used the contract to work together with the affected protocol, Agave immediately. The good contract on Agave was basically the identical as Aave, which secured $18.4B.

As there was no reported exploit in AAVE, how may Agave be drained? Nicely, right here’s a summary of the way it was utilized in an unsafe method “unintentionally”.

The weth contract was deployed the primary time somebody moved weth to GC. Each time you deliver a brand new token over the bridge, a brand new token contract is created for it.

The callAfterTransfer operate helps forestall you from sending tokens on to the bridge and dropping them endlessly pic.twitter.com/ZiAZAcTtSI

— Shegen (@shegenerates) March 15, 2022

The stated hacker was in a position to borrow greater than their collateral in agave. Thereby, strolling away with all borrowable property.

Supply: Twitter

The borrowed property comprised of two,728.9 WETH, 243,423 USDC, 24,563 LINK, 16.76 WBTC, 8,400 GNO, and 347,787 WXDAI. General, the hacker made off with roughly $11 million.

Nonetheless, Shegen didn’t blame the Agave builders for failing to forestall the assault. She stated, the builders ran a safe and protected AAVE-based code. Though used with unsafe tokens, in an unsafe method.

Hector Swap: A revolutionary DeFi swap aggregator

2023-04-13

Fantom: Though DeFi-friendly measures show results, FTM remains in limbo

2023-04-11

“All DeFi protocols on GC ought to swap out present bridged tokens for brand new ones,” she concluded.

Blockchain safety researcher Mudit Gupta reiterated the same trigger behind the exploit.

Agave and Hundred Finance had been exploited immediately on Gnosis chain (previously xDAI).

The underlying purpose for the hack is that the official bridged tokens on Gnosis are non-standard and have a hook that calls the token receiver on each switch. This permits reentrancy assaults. pic.twitter.com/8MU8Pi9RQT

— Mudit Gupta (@Mudit__Gupta) March 15, 2022

Source link