DeFi protocols Agave and Hundred Finance exploited on Gnosis Chain for $11 million

Quick Take

  • The attacker introduced a reentrancy bug to steal funds using a flash loan exploit.
  • The projects lost a combined $11 million in the attack, hours after a similar incident involving Deus Finance.

An attacker has siphoned over $11 million from Agave and Hundred Finance in what appears to be a flash loan reentrancy attack on both DeFi protocols on the Gnosis chain.

The DeFi platforms each confirmed the hacks in Twitter posts on Tuesday, stating that their contracts have been paused to forestall further damage. The attack marks the second flash loan exploit recorded today as Deus Finance DAO also lost $3 million.

Examining the transaction breakdown data for both exploits on Tenderly, the attacker exploited a reentrancy vulnerability in both protocols. Reentrancy is a Solidity programming language vulnerability that allows an attacker to trick a protocol’s contract into making an external call to an untrusted contract. Once this happens, the hacker can then use this untrusted contract to make repeated calls to the protocol to drain its funds.

In the case of Agave and Hundred Finance, the attacker introduced a reentrancy bug on both protocols paving the way for a flash loan exploit. The reentrancy vulnerability appears centered on the “callAfterTransfer” function, allowing the hackers to continue borrowing from the protocols — siphoning off massive swathes of liquidity.

Start your day with the most influential events and analysis happening across the digital asset ecosystem.

By signing-up you agree to our Terms of Service and Privacy Policy