Not one, but two decentralized finance (DeFi) protocols – Agave and Hundred Finance – were exploited in a fresh case of a “re-entrancy” attack.
The hacker reportedly managed to siphon funds worth $11 million in Wrapped ETH, Wrapped BTC, Chainlink, USDC, Gnosis, and Wrapped XDAI on both DeFi protocols on the Gnosis chain using a flash loan exploit.
The Hacks
Gauging at the de date available on Tenderly for both încălcări, it was found that the hacker exploited a re-entrancy bug in the two protocols.
For the uninitiated, “re-entrancy” is a vulnerability in the Solidity programming language that enables a malicious entity to deceive a protocol’s smart contract into making an external call to an untrusted contract. After the attacker gains control of the untrusted contract, they can make recursive calls to the original function to drain its funds.
Blockchain and security researcher, Mudit Gupta, dezvăluit that the official bridged tokens on Gnosis are the main culprit and stated that they are “non-standard and have a hook that calls the token receiver on every transfer.” He added that this is what allows re-entrancy attacks.
Agave is a fork of DeFi lending platform Aave, while the multi-chain lending project, Hundred Finance, is a fork of Compound. Gupta also claimed that Compound does not follow the recommended checks-effects-interactions pattern despite referring to it.
The re-entrancy attacks become more staggering since “the code executes interactions before applying the effects.” On the other hand, Aave tries to follow the aforementioned checks-effects-interactions pattern. However, there exists a path via liquidations using which the attacker “broke the pattern” in the recent attack. He went on to add,
“The agave and hundred protocol teams messed up by listing a token that can reenter. Aave and compound governance actively check for reentrancy before listing tokens on the mainnet to avoid similar attacks.”
Popular DeFi lending platform Cream Finance, which shares a similar codebase to that of Compound, was also exploatat in an $18.8 million flash loan reentrancy attack in August last year.
Funds Are Not SAFU
According to a developer at DeFi protocol DanceFloor, “Shegan,” the funds are not safe. However, Martin Köppelmann, the founder of Gnosis, a spus he would support a measure from the DAO. The team behind Hundred Finance and Agave is currently investigating the exploits and has paused the contracts.
Binance gratuit 100 USD (exclusiv): Utilizați acest link pentru a vă înregistra și a primi 100 USD gratuit și 10% reducere la taxe la Binance Futures prima lună (termeni).
Ofertă specială PrimeXBT: Utilizați acest link pentru a vă înregistra și introduce codul POTATO50 pentru a primi până la 7,000 USD din depozitele dvs.
Source: https://cryptopotato.com/defi-protocols-agave-hundred-finance-hacked-attacker-steals-11m-worth-of-crypto/