Not one, but two decentralized finance (DeFi) protocols – Agave and Hundred Finance – were exploited in a fresh case of a “re-entrancy” attack.
The hacker reportedly managed to siphon funds worth $11 million in Wrapped ETH, Wrapped BTC, Chainlink, USDC, Gnosis, and Wrapped XDAI on both DeFi protocols on the Gnosis chain using a flash loan exploit.
Gauging at the data available on Tenderly for both breaches, it was found that the hacker exploited a re-entrancy bug in the two protocols.
For the uninitiated, “re-entrancy” is a vulnerability in the Solidity programming language that enables a malicious entity to deceive a protocol’s smart contract into making an external call to an untrusted contract. After the attacker gains control of the untrusted contract, they can make recursive calls to the original function to drain its funds.
Blockchain and security researcher, Mudit Gupta, revealed that the official bridged tokens on Gnosis are the main culprit and stated that they are “non-standard and have a hook that calls the token receiver on every transfer.” He added that this is what allows re-entrancy attacks.
Agave is a fork of DeFi lending platform Aave, while the multi-chain lending project, Hundred Finance, is a fork of Compound. Gupta also claimed that Compound does not follow the recommended checks-effects-interactions pattern despite referring to it.
The re-entrancy attacks become more staggering since “the code executes interactions before applying the effects.” On the other hand, Aave tries to follow the aforementioned checks-effects-interactions pattern. However, there exists a path via liquidations using which the attacker “broke the pattern” in the recent attack. He went on to add,
“The agave and hundred protocol teams messed up by listing a token that can reenter. Aave and compound governance actively check for reentrancy before listing tokens on the mainnet to avoid similar attacks.”
Popular DeFi lending platform Cream Finance, which shares a similar codebase to that of Compound, was also exploited in an $18.8 million flash loan reentrancy attack in August last year.
According to a developer at DeFi protocol DanceFloor, “Shegan,” the funds are not safe. However, Martin Köppelmann, the founder of Gnosis, said he would support a measure from the DAO. The team behind Hundred Finance and Agave is currently investigating the exploits and has paused the contracts.