Hackers exploited a weakness in Grim Finance’s DeFi protocol to steal around $30 million over the weekend, according to Grim Finance.
First, all vaults were shut down to prevent further attacks, according to a statement made on Twitter by Grim Finance on Saturday.
By exploiting five reentry loops, the hacker was able to make five further deposits while the platform was still processing the initial transaction, which is described as an “Advanced assault” by Grim Finance.
“We have paused all of the vaults to prevent any future funds from being placed at risk, please withdraw all of your funds immediately,” Grim said after the incident.
For the sake of preventing further money transfers, Grim said they’d alerted key cryptocurrency operators like Circle (USDC), Dai (DAI), and cross-chain protocol AnySwap about the attacker’s address.
Fantom, a DeFi-focused blockchain system, powers Grim Finance’s “compounding yield optimizer,” allowing users to stake liquidity tokens by applying complicated vault methods.
Grim Finance Exploiter kept transacting on Sunday, according to FTM Blockchain Explorer. The exploited address has $1.2 million in Bitcoin (BTC), $1.7 million in SpookyToken (BOO), and $13,700 in FTM tokens.
Some in the crypto community blamed Grim Finance for the attack, claiming they failed to include reentrancy protection measures. Rugdoc.io, a DeFi security platform, claimed the protocol granted the user “more privilege than is necessary.”
5) So what was the big mistake of grim finance?
1. No reentrancy guard on a pattern that absolutely needs it (@0xPaladinSec always points this out)
2. Giving the user more privilege than is necessary: There is absolutely no need for the user to be able to choose the deposit token
— Rugdoc.io (@RugDocIO) December 18, 2021
Grim Finance, based on the Fantom Opera network, allows users to stake liquidity pool tokens in Grim Vaults, automatically harvesting dividends and re-staking rewards for higher yields.
Users of decentralized exchanges who contribute their own liquidity receive Liquidity Pool Tokens in return. In the decentralized finance (DeFi) sector, smart contracts replace middlemen in financial services like lending, trading, and borrowing.
Total value locked (TVL) figures from analytics tool DeFiLlama show that the protocol has garnered over $100 million in user cash. It was safe till yesterday.
Reentrancy exploit was used to steal funds from Grim Finance. An exploit like this is widespread on Solidity, the technology powering Ethereum and Fantom. Attackers modify data by connecting with the network and calling an untrusted contract, gaining access to the assets held on the attacked contact. Now it was Grim Finance’s yield compounding vaults.
It is estimated that the hackers grabbed almost $30 million in Fantom tokens. Other Fantom-based DEXs including AnySwap and SpookySwap appears to have already received stolen tokens, which were then swapped for other tokens, including USD coin, a dollar-pegged stablecoin.
On Sunday, developers paused all vaults to prevent harm. They also notified USDC issuer Circle, AnySwap, and Maker to freeze any associated assets.
The hack resulted in a mass outflow of Grim Finance’s total assets. Just $4.3 million is left in Grim Finance’s vaults, and TVL has fallen 84% in the last 24 hours.