The Two Defi protocols Agave and Hundred Finance were exploited in a new “re-entrancy” attack and lost $11 million worth of cryptocurrencies as we can see more in today’s latest altcoin news.
DeFi hacks continue as the two biggest finance protocols got exploited out of $11 million worth of crypto. The two defi protocols were attacked in a “re-entrancy” attack as the hacker managed to drain the funds in Wrapped ETH, wrapped BTC, USDC, Gnosis, Chainlink, and Wrapped XDAI on both protocols on the Gnosis chain using a flash loan exploit.
Looking at the data from Tenderly, it is seen that the hacker exploited a re-entrancy bug in the two protocols. This type of attack is a vulnerability in the solidity programming language that enables the malicious entity to decide a protocol’s smart contract into making the external call for the untrusted contract so after the attacker gains control of the contract, they are making a few recursive calls to the original function and drain the funds.
Blockchain researcher Mudit Gupta revealed that the official bridge tokens on Gnosis were the main culprit and they were nonstandard since they had a hook that calls for the token receiver on each transfer and added that this is what allows such an attack. Agave on the other hand is a fork of Aave while Hundred Finance is a fork of Compound.
Gupta claims that Compound doesn’t follow the recommended checks-effects-interactions pattern despite the referrals to it. The re-entrancy attacks are more staggering when the code executes interactions before applying the effects. Aave on the other hand tries to follow the previously mentioned pattern but there’s a path via liquidations that the attacker used to break the pattern:
“The agave and hundred protocol teams messed up by listing a token that can reenter. Aave and compound governance actively check for reentrancy before listing tokens on the mainnet to avoid similar attacks.”
Cream Finance shares a similar codebase to the one of Compound and got also exploited in an $18.8 million flash loan reentrancy attack in 2021. According to DanceFloor developer “Shegan”, the funds are not safe. However, Martin Koppelmann said he will support a measure from the DAO and the team behind Hundred Finance and Agave are investigating the exploits and pausing the contracts.
DC Forecasts is a leader in many crypto news categories, striving for the highest journalistic standards and abiding by a strict set of editorial policies. If you are interested to offer your expertise or contribute to our news website, feel free to contact us at [email protected]
Discussion about this post