On 15 March, an attacker siphoned over $11 million from two DeFi platforms, Agave and Hundred Finance. It gave the impression to be a flash mortgage ‘reentrancy assault’ on each protocols on the Gnosis chain as per investigation. Likewise, the platforms halted their contracts to forestall additional injury.
Assessing the injury
Solidity developer and creator of an NFT liquidity protocol app, Shegen selected to spotlight the hack in a sequence of tweets on 16 March. Surprisingly, this evaluation got here after the aforementioned entity misplaced $225,000 in the identical exploit.
Theres already been just a few good threads already (and a few dangerous ones that spoke too quickly) on the @Agave_lending and @HundredFinance hacks at this time.
Right here’s my evaluation & reflection, after simply having misplaced over $225k from the exploit, and explored what occurred ?
— Shegen (@shegenerates) March 15, 2022
Her preliminary investigations revealed the assault labored by exploiting a wETH contract perform on Gnosis Chain. It allowed the attacker to proceed borrowing crypto earlier than the apps might calculate the debt, which might stop additional borrowing. Ergo, the offender carried the mentioned exploit by borrowing towards the identical collateral they posted till the funds drained from the protocols.
To make issues worse, the funds weren’t protected. ‘They’re just about gone eternally, however there’s nonetheless hope,’ she added. That mentioned, the founding father of Gnosis, Martin Koppelmann did tweet to herald some certainity amidst the chaos. Koppelmann asserted,
cannot make any guarantees, and first we must always actually perceive what occurred. However I’d usually be supportive of a GnosisDAO proposal that may attempt to stop customers from loosing funds by e.g. borrowing funds/ investing funds into @Agave_lending
— Martin Köppelmann ?? (@koeppelmann) March 15, 2022
After some additional analysis, the attacker allegedly deployed this contract with 3 capabilities; In blocks 21120283 and 21120284, the hacker used the contract to work together with the affected protocol, Agave instantly. The good contract on Agave was basically the identical as Aave, which secured $18.4B.
As there was no reported exploit in AAVE, how might Agave be drained? Properly, right here’s a summary of the way it was utilized in an unsafe approach “unintentionally”.
The weth contract was deployed the primary time somebody moved weth to GC. Each time you carry a brand new token over the bridge, a brand new token contract is created for it.
The callAfterTransfer perform helps stop you from sending tokens on to the bridge and dropping them eternally pic.twitter.com/ZiAZAcTtSI
— Shegen (@shegenerates) March 15, 2022
The mentioned hacker was in a position to borrow greater than their collateral in agave. Thereby, strolling away with all borrowable belongings.
The borrowed belongings comprised of two,728.9 WETH, 243,423 USDC, 24,563 LINK, 16.76 WBTC, 8,400 GNO, and 347,787 WXDAI. General, the hacker made off with roughly $11 million.
Nonetheless, Shegen didn’t blame the Agave builders for failing to forestall the assault. She mentioned, the builders ran a safe and protected AAVE-based code. Though used with unsafe tokens, in an unsafe approach.
“All DeFi protocols on GC ought to swap out present bridged tokens for brand spanking new ones,” she concluded.
Blockchain safety researcher Mudit Gupta reiterated an identical trigger behind the exploit.
Agave and Hundred Finance have been exploited at this time on Gnosis chain (previously xDAI).
The underlying purpose for the hack is that the official bridged tokens on Gnosis are non-standard and have a hook that calls the token receiver on each switch. This permits reentrancy assaults. pic.twitter.com/8MU8Pi9RQT
— Mudit Gupta (@Mudit__Gupta) March 15, 2022