DeFi protocol Grim Finance lost $30M in 5x reentrancy hack
WikiBit 2021-12-20 08:58An external attacker exploited the DeFi platform Grim Finance, stealing over $30 million through a reentrancy exploit of the platform’s vaults.
Helen Partz
DeFi protocol Grim Finance lost $30M in 5x reentrancy hackAn apparent security flaw in the Grim Finance protocol allowed the attacker to fake five additional deposits.
News
The decentralized finance (DeFi) protocol Grim Finance reported $30 million in losses due to a reentrancy exploit of the platforms deposits.
Grim Finance officially announced on Dec. 18 that an “external attacker” had exploited the DeFi platform, stealing “over $30 million” worth of cryptocurrencies.
According to Grim Finance, the hack was an “advanced attack,” with the attacker exploiting the protocols vault contract through five reentrancy loops, which allowed them to fake five additional deposits into a vault while the platform is processing the first deposit.
Grim paused all vaults after the attack to minimize the risk for future funds: “We have paused all of the vaults to prevent any future funds from being placed at risk, please withdraw all of your funds immediately.”
Grim noted that they also notified entities involved in operating major cryptocurrencies like Circle (USDC), DAI, and the cross-chain protocol AnySwap regarding the attacker address to freeze further fund transfers.
Grim Finance positions itself as a “compounding yield optimizer” built on DeFi-focused blockchain protocol, Fantom, allowing users to stake liquidity provider tokens by employing complex vault strategies.
According to the Fantom (FTM) Blockchain Explorer data, Grim Finance Exploiter continued transacting on Dec. 19. One of the addresses associated with the exploit holds $1.2 million in Bitcoin (BTC), $1.7 million in SpookyToken (BOO) alongside $13,700 in FTM tokens.
Some in the crypto community suggested that Grim Finance should hold responsibility for the exploit due to failing to adopt proper reentrancy protection tools. DeFi security platform Rugdoc.io also argued that the protocol gave the user “more privilege than is necessary.”
5) So what was the big mistake of grim finance?
1. No reentrancy guard on a pattern that absolutely needs it (@0xPaladinSec always points this out)
2. Giving the user more privilege than is necessary: There is absolutely no need for the user to be able to choose the deposit token
— Rugdoc.io (@RugDocIO) December 18, 2021
Disclaimer:
The views in this article only represent the author's personal views, and do not constitute investment advice on this platform. This platform does not guarantee the accuracy, completeness and timeliness of the information in the article, and will not be liable for any loss caused by the use of or reliance on the information in the article.
- Token conversion
- Exchange rate conversion
- Calculation for foreign exchange purchasing
0.00