Two lending DeFi (decentralised finance) protocols, Agave and Hundred Finance, have been exploited for approximately US$11 million, both companies confirmed on Twitter this week:
Reentrancy Bug Responsible
Looking at the transaction data on Tenderly, it seems both protocols were hacked using reentrancy attacks, which is a vulnerability in Solidity, the programming language in which Ethereum is written.
Reentrancy is when an attacker manages to trick a function on the Solidity smart contract, called “callAfterTransfer” – the function then makes an external call to another untrusted contract.
Once the hacker has access to the untrusted contract, they can make recursive calls using the protocols’ funds without having to put up additional collateral.
Blockchain and security researcher Mudit Gupta shed some technical light on the hacks, stating that the attacker introduced code after the callAfterTransfer function to run a flash loan exploit, allowing them to borrow funds before the protocols were able to calculate the debt and prevent further borrowing.
Both protocols were hacked on the Gnosis chain, which is an EVM-compatible blockchain. Gupta added that what allowed reentrancy attacks was the fact that “the official bridged tokens on Gnosis are non-standard and have a hook that calls the token receiver on every transfer”:
Agave is a fork of DeFi lending protocol Aave, while Hundred Finance is a fork of Compound. Compound, on one hand, doesn’t follow the check-effects-interaction patterns, which is a recommended practice while making external calls in Solidity.
Aave does follow that practice, but according to Gupta there is a “path via liquidations using which the attacker broke the pattern”.
Tokens Wear the Fallout
Unsurprisingly, the native tokens of both protocols took a blow, both dropping by double digits, according to data from CoinMarketCap. But it seems they have recovered by at least 15 percent from their previous price.
After draining both protocols’ funds, the attacker went on to launder the money using Tornado Cash. Etherscan hasn’t labelled the attacker’s address with a DeFi exploit.
The event comes a week after Fantasm Finance was hacked for US$2.6 million through a flash loan attack, also using Tornado Cash to launder the funds.
The content and views expressed in the articles are those of the original authors own and are not necessarily the views of Crypto News. We do actively check all our content for accuracy to help protect our readers. This article content and links to external third-parties is included for information and entertainment purposes. It is not financial advice. Please do your own research before participating.