Information text

Your Location:Home>News>Main body

DeFi protocol Grim Finance lost $30M in 5x reentrancy hack

WikiBit 2021-12-20 08:58

Abstract:An external attacker exploited the DeFi platform Grim Finance, stealing over $30 million through a reentrancy exploit of the platform’s vaults.

  Helen Partz

DeFi protocol Grim Finance lost $30M in 5x reentrancy hack

  An apparent security flaw in the Grim Finance protocol allowed the attacker to fake five additional deposits.

  News

  The decentralized finance (DeFi) protocol Grim Finance reported $30 million in losses due to a reentrancy exploit of the platforms deposits.

  Grim Finance officially announced on Dec. 18 that an “external attacker” had exploited the DeFi platform, stealing “over $30 million” worth of cryptocurrencies.

  According to Grim Finance, the hack was an “advanced attack,” with the attacker exploiting the protocols vault contract through five reentrancy loops, which allowed them to fake five additional deposits into a vault while the platform is processing the first deposit.

  Grim paused all vaults after the attack to minimize the risk for future funds: “We have paused all of the vaults to prevent any future funds from being placed at risk, please withdraw all of your funds immediately.”

  Grim noted that they also notified entities involved in operating major cryptocurrencies like Circle (USDC), DAI, and the cross-chain protocol AnySwap regarding the attacker address to freeze further fund transfers.

  Grim Finance positions itself as a “compounding yield optimizer” built on DeFi-focused blockchain protocol, Fantom, allowing users to stake liquidity provider tokens by employing complex vault strategies.

  According to the Fantom (FTM) Blockchain Explorer data, Grim Finance Exploiter continued transacting on Dec. 19. One of the addresses associated with the exploit holds $1.2 million in Bitcoin (BTC), $1.7 million in SpookyToken (BOO) alongside $13,700 in FTM tokens.

  Some in the crypto community suggested that Grim Finance should hold responsibility for the exploit due to failing to adopt proper reentrancy protection tools. DeFi security platform Rugdoc.io also argued that the protocol gave the user “more privilege than is necessary.”

  5) So what was the big mistake of grim finance?

  1. No reentrancy guard on a pattern that absolutely needs it (@0xPaladinSec always points this out)

  2. Giving the user more privilege than is necessary: There is absolutely no need for the user to be able to choose the deposit token

  — Rugdoc.io (@RugDocIO) December 18, 2021

Token conversion
Exchange rate conversion
Calculation for foreign exchange purchasing
/

Current Rate0

Available

-

Calculate