DeFi protocols Agave and Hundred Finance exploited on Gnosis Chain for $11 million

Quick Take

  • The attacker introduced a reentrancy bug to steal funds using a flash loan exploit.
  • The projects lost a combined $11 million in the attack, hours after a similar incident involving Deus Finance.

An attacker has siphoned over $11 million from Agave and Hundred Finance in what appears to be a flash loan reentrancy attack on both DeFi protocols on the Gnosis chain.

The DeFi platforms each confirmed the hacks in Twitter posts on Tuesday, stating that their contracts have been paused to forestall further damage. The attack marks the second flash loan exploit recorded today as Deus Finance DAO also lost $3 million.

Examining the transaction breakdown data for both exploits on Tenderly, the attacker exploited a reentrancy vulnerability in both protocols. Reentrancy is a Solidity programming language vulnerability that allows an attacker to trick a protocol’s contract into making an external call to an untrusted contract. Once this happens, the hacker can then use this untrusted contract to make repeated calls to the protocol to drain its funds.

In the case of Agave and Hundred Finance, the attacker introduced a reentrancy bug on both protocols paving the way for a flash loan exploit. The reentrancy vulnerability appears centered on the “callAfterTransfer” function, allowing the hackers to continue borrowing from the protocols — siphoning off massive swathes of liquidity.

In essence, the attacker was making recursive calls to siphon off user funds without having to put up additional collateral. Then the attacker terminated the exploit with a “liquidationCall,” paying back their initial flash loan while still holding significant liquidity from both projects.

The attacker has begun to launder the funds via Tornado Cash, but Etherscan hasn't labeled their address as associated with a DeFi exploit as of the time of writing.

Flash loan attacks continue

Agave is a lending protocol on the Gnosis chain and is a fork of the popular Aave protocol. Hundred Finance is a multi-chain lending project and is a fork of Compound.

Cream Finance, a DeFi lending protocol that shares a similar codebase to Compound, also suffered a flash loan reentrancy attack last summer. The exploit led to the loss of $19 million in crypto tokens from the project.


© 2022 The Block Crypto, Inc. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Osato is a reporter at The Block who likes to cover DeFi, NFTS, and tech-related stories. He has previously worked as a reporter for Cointelegraph. Based in Lagos, Nigeria, he enjoys crosswords, poker, and attempting to beat his Scrabble high score.