AAVE and Compound Clones Agave and Hundred Finance Suffer $11 Million Heist
Agave and Hundred Finance DeFi protocols have suffered a severe flash loan attack via a reentrancy vulnerability on March 15, 2022, gifting the hackers $11 million.
Agave and Hundred Finance Hacked
Decentralize Finance Protocols Agave and Hundred Finance are the latest DeFi protocols to fall victim to a major hack, as rogue actors have made away with $11 million in wrapped ETH (wETH), wrapped BTC (wBTC), Chainlink ( LINK), Gnosis (GNO ), USD Coin (USDC) and wrapped XDAI (wxDAI) by taking advantage of reentrancy vulnerability on the platforms.
Both platforms recounted their ordeal in separate Twitter posts on Tuesday, revealing that their smart contracts have been suspended temporarily to forestall any unforeseen situation and limit the damages.
Following the attack, the Agave token AGVE suffered a temporary price crash before bouncing back. The Agave token dropped by 20% according to data from CoinGecko, similarly, the Hundred Finance HND token also dropped by 3.5% immediately after the announcement before bouncing back to reach a 24-hour high.
As expected, the attackers have taken measures to launder the stolen funds and cover their paths.
According to on-chain analysis, the address linked to the attackers has reportedly sent over 2,100 ETH to a crypto mixer, a crypto sector that has been under the radar of regulators in the United States.
Experts who have examined the transaction breakdown data for both exploits on Tenderly say the attacker exploited a reentrancy vulnerability that exists in both protocols.
For the uninitiated, reentrancy is a Solidity programming language vulnerability that gives room for an attacker to trick a protocol’s contract into making an external call to an untrusted contract. Once this event occurs, the hacker can then use this untrusted contract to make repeated calls to the protocol to transfer its funds.
Another Bad Day for DeFi
To exploit Agave and Hundred Finance, the attacker introduced a reentrancy bug on both protocols, a loophole that makes it easy for bad actors to orchestrate a flash loan attack.
Sources say the reentrancy vulnerability appears centered on the “call after transfer” function, which allowed intending hackers to continue borrowing funds from both protocols — and siphon off swathes of liquidity.
Consequently, the attacker was making recursive calls to rip off users without having to put up an extra amount of collateral. Then the attacker ended the exploit with a “liquidationCall,” transferring back their initial flash loan while still holding on to a significant amount of liquidity from both projects.
Agave is a Defi lending protocol on the Gnosis blockchain. The platform has created a community-driven ecosystem that allows users to borrow and lend funds while also providing access to money markets directly on-chain.
Hundred Finance is a decentralized finance platform that facilitates the lending and borrowing of cryptocurrencies. A multi-chain protocol, it integrates with Chainlink oracles to ensure market health and stability, while focusing on providing markets for long-tail assets.
Flash loan attacks are becoming increasingly popular in the crypto space.
Pancake Bunny’s price crashed after the DeFi token was hacked in 2021, leading to a permanent loss of over $200 million in an attack that has been categorized as one of the largest DeFi heists so far.
