DeFi

How these two DeFi protocols fell prey to $11 million ‘reentrancy attack’

Published

on

Source: Unsplash

On 15 March, an attacker siphoned over $11 million from two DeFi platforms, Agave and Hundred Finance. It appeared to be a flash loan ‘reentrancy attack’ on both protocols on the Gnosis chain as per investigation. Likewise, the platforms halted their contracts to forestall further damage.

Assessing the damage 

Solidity developer and creator of an NFT liquidity protocol app, Shegen chose to highlight the hack in a series of tweets on 16 March. Surprisingly, this analysis came after the aforementioned entity lost $225,000 in the same exploit.

Her preliminary investigations revealed the attack worked by exploiting a wETH contract function on Gnosis Chain. It allowed the attacker to continue borrowing crypto before the apps could calculate the debt, which would prevent further borrowing. Ergo, the culprit carried the said exploit by borrowing against the same collateral they posted until the funds drained from the protocols.

To make things worse, the funds weren’t safe. ‘They are pretty much gone forever, but there is still hope,’ she added. That said, the founder of Gnosis, Martin Koppelmann did tweet to bring in some certainity amidst the chaos. Koppelmann asserted,

After some further research, the attacker allegedly deployed this contract with 3 functions; In blocks 21120283 and 21120284, the hacker used the contract to interact with the affected protocol, Agave directly. The smart contract on Agave was essentially the same as Aave, which secured $18.4B.

As there was no reported exploit in AAVE, how could Agave be drained? Well, here’s a summary of how it was used in an unsafe way “unintentionally”.

The said hacker was able to borrow more than their collateral in agave. Thereby, walking away with all borrowable assets.

Source: Twitter

The borrowed assets comprised of 2,728.9 WETH, 243,423 USDC, 24,563 LINK, 16.76 WBTC, 8,400 GNO, and 347,787 WXDAI. Overall, the hacker made off with approximately $11 million.

Nonetheless, Shegen did not blame the Agave developers for failing to prevent the attack. She said, the developers ran a secure and safe AAVE-based code. Although used

with unsafe tokens, in an unsafe way.

“All DeFi protocols on GC should swap out existing bridged tokens for new ones,” she concluded.

Blockchain security researcher Mudit Gupta reiterated a similar cause behind the exploit.