How These Two DeFi Protocols Fell Prey to an $11 Million Reentrancy Attack

On March 15 an attacker transferred over $11 million from two DeFi platforms, Agave and Hundred Finance† According to research, it turned out to be a ‘reentrance attack’ of a flash loan on both protocols on the Gnosis chain. Likewise, the platforms stopped their contracts to prevent further damage.

assess damage

Solidity developer and maker of NFT liquidity protocol app, Shegen chose to highlight the hack in a series of tweets on March 16. Surprisingly, this analysis came after the aforementioned entity lost $225,000 in the same exploit.

Her preliminary investigations revealed that the attack worked by leveraging a wETH contract function on Gnosis Chain. This allowed the attacker to continue borrowing crypto before the apps could calculate the debt, which would prevent further borrowing. Ergo, the unsub carried the said exploit by borrowing against the same collateral they had placed until the money was gone from the protocols.

To make matters worse, the funds were not safe. “They’re pretty much gone forever, but there’s still hope,” she says added† That said, Gnosis founder Martin Koppelmann tweeted to provide some assurance amid the chaos. Koppelmann claimed,

After some further investigation, the attacker would have deployed this contract with 3 functions; In blocks 21120283 and 21120284, the hacker used the contract to communicate directly with the affected protocol, Agave. The smart contract on Agave was essentially the same as Aave, which brought in $18.4 billion.

Since no abuse has been reported in AAVE, how could Agave be emptied? Well, here’s a Overview how it was “unintentionally” used in an unsafe manner.

The said hacker was able to borrow more than their collateral in agave. In doing so, walk away with all borrowable assets.

Source: Twitter

The borrowed assets consisted of 2,728.9 WETH, 243,423 USDC, 24,563 LINK, 16,76 WBTC, 8,400 GNO and 347,787 WXDAI. In total, the hacker made off with about $11 million.

Nevertheless, Shegen didn’t blame the Agave developers for not preventing the attack. She said the developers had a safe and secure AAVE-based code. although used with insecure tokens, in an insecure way.

“All DeFi protocols on GC should replace existing bridged tokens with new ones,” she concluded.

Blockchain Security Researcher Mudit Gupta repeated a similar cause behind the exploit.

Leave a Comment