Agave and Hundred Finance DeFi Protocols Abused for $11 Million

A hacker has made off with about $11 million in Wrapped ETH, Wrapped BTC, Chainlink, USDC, Gnosis, and Wrapped XDAI after using a “re-entrancy” attack on DeFi loan protocol applications Agave and Hundred Finance.

The attack comes within 24 hours of breaking news of the Deus Finance exploit, in which hackers stole more than $3 million worth of Dai and Ethereum from the lending contract platform.

Agave’s token, AGVE, fell 20 percent after the attack, according to data from CoinGecko. Hundred Finances’ token HND fell 3.5 percent after it announced the exploit, but it has since recovered, reaching a 24-hour high.

“Agave is currently investigating an exploit on the agave funding protocol”, Agave tweeted on Tuesday 15 at 13:30 UTC, “We’ll update you as soon as we know more.” It noted that contracts have been suspended until the situation is resolved.

The Hundred Finance team too tweeted it was exploited in the Gnosis chain and has paused its markets as investigations continued.

According to on-chain analysis, the address Associated with the attacker has sent more than 2,100 ETH, worth more than $5.5 million, to a crypto mixer in an attempt to launder the stolen tokens.

Related:Deus Finance Exploit: Hackers Get Away With $3M worth of DAI and Ether

Solidity developer and creator of an NFT liquidity protocol app, Shegen (@shegenerates) tweeted that she lost $225,000 to the exploit, and that her research revealed that the attack worked by leveraging a wETH contract feature on Gnosis Chain that allowed the attacker could continue to borrow crypto before the apps could calculate the debt, which would prevent further borrowing.

The attacker carried out this exploit, continuously borrowing against the same collateral they had placed until the funds disappeared from the protocols.

Shegen told Coin-Crypto that while the smart contract on Agave is essentially the same as Aave, which secures $18.4 billion, “every security researcher has checked it,” she said, “so it’s reasonable to assume the contract is secure. is.”

“I think this hack stands out more than some bigger ones,” Shegen said, pointing out that even if it’s a smaller hack compared to others that have stolen millions more, its resemblance to Aave meant, “it seems safe, but was it not, and that breach of trust hurts.”

“It’s like you can’t even trust the ‘secure’ code.”

Blockchain Security Researcher Mudit Gupta say the difference between Aave and Agave is that “Aave actively checks for re-entry before placing tokens on the main net to prevent similar attacks.”

Shegen stated that she did not blame the Agave developers for failing to prevent the attack.

“Agave was being used in an insecure way,” she said, “maybe the developer shouldn’t have allowed tokens with callbacks in them to be used on the platform, or added more re-entrancy guards.”

“Curve, for example, wasn’t hacked today, because it has extra re-entrancy guards, but I don’t really blame Luigy and the Agave team, because it’s so unlikely that this would have happened, and has been passed by a lot of people. slipped.”

Shegen also did not blame Gnosis for creating tokens with a callback feature that the hacker exploited, saying the feature prevents users from accidentally losing their crypto.

“That’s actually a great feature for bridged tokens. It’s just a really unfortunate and unfortunate circumstance in my opinion.”

Leave a Comment