Quick take
- Attackers have introduced a re-entry bug to steal funds using a flash loan exploit.
- Hours after a similar incident involving Deus Finance, the project lost a total of $ 11 million in the attack.
advertisement
The attackers seemed to be flash loan reentrant attacks on both DeFi protocols in the Gnosis chain, sucking over $ 11 million from Agave and Hundred Finance.
Each DeFi platform has confirmed a hack Twitter post On Tuesday, they said their contract had been made pause To prevent further damage. The Deus Finance DAO also lost $ 3 million, making this attack the second flash loan exploit recorded today.
Examining the transaction breakdown data of both Tenderly exploits, an attacker exploited a reentrant vulnerability in both protocols. Reentryability is a vulnerability in the Solidity programming language that allows an attacker to trick a protocol contract into making an external call to an untrusted contract. When this happens, hackers can use this untrusted contract to repeatedly call the protocol and run out of funds.
In the case of Agave and Hundred Finance, the attacker introduced a reentrant bug in both protocols, paving the way for flash loan exploits. The reentrant vulnerability appears to be focused on the “call After Transfer” feature, allowing hackers to continue borrowing from the protocol and sucking up a large amount of liquidity.
In essence, the attacker was making a recursive call to suck up the user’s funds without providing additional collateral. The attacker then terminated the exploit with a “liquidation Call” and repaid the first flash loan while maintaining considerable liquidity from both projects.
The attackers initiated money laundering via Tornado Cash, but at the time of writing, Etherscan did not label the address as related to the DeFi exploit.
Flash loan attacks continue
Agave is a Gnosis chain lending protocol and a fork of the popular Aave protocol. Hundred Finance is a multi-chain financing project and a fork of Compound.
Cream Finance, a DeFi lending protocol that shares a code base similar to compounds, was also hit by a flash loan reentrant last summer. The exploit lost $ 19 million in crypto tokens from the project.
© 2022 The Block Crypto, Inc. All rights reserved. This article is provided for informational purposes only. It is not intended to be provided or used as legal, tax, investment, financial, or other advice.
Trend story