DeFi protocols Agave and Hundred Finance exploited on Gnosis Chain for $11 million

DeFi • March 15, 2022, 1:46PM EDT
The Block

Quick Take

  • The attacker introduced a reentrancy bug to steal funds using a flash loan exploit.
  • The projects lost a combined $11 million in the attack, hours after a similar incident involving Deus Finance.

An attacker has siphoned over $11 million from Agave and Hundred Finance in what appears to be a flash loan reentrancy attack on both DeFi protocols on the Gnosis chain.

The DeFi platforms each confirmed the hacks in Twitter posts on Tuesday, stating that their contracts have been paused to forestall further damage. The attack marks the second flash loan exploit recorded today as Deus Finance DAO also lost $3 million.

Examining the transaction breakdown data for both exploits on Tenderly, the attacker exploited a reentrancy vulnerability in both protocols. Reentrancy is a Solidity programming language vulnerability that allows an attacker to trick a protocol’s contract into making an external call to an untrusted contract. Once this happens, the hacker can then use this untrusted contract to make repeated calls to the protocol to drain its funds.

In the case of Agave and Hundred Finance, the attacker introduced a reentrancy bug on both protocols paving the way for a flash loan exploit. The reentrancy vulnerability appears centered on the “callAfterTransfer” function, allowing the hackers to continue borrowing from the protocols — siphoning off massive swathes of liquidity.

In essence, the attacker was making recursive calls to siphon off user funds without having to put up additional collateral. Then the attacker terminated the exploit with a “liquidationCall,” paying back their initial flash loan while still holding significant liquidity from both projects.

THE SCOOP

Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

The attacker has begun to launder the funds via Tornado Cash, but Etherscan hasn't labeled their address as associated with a DeFi exploit as of the time of writing.

Flash loan attacks continue

Agave is a lending protocol on the Gnosis chain and is a fork of the popular Aave protocol. Hundred Finance is a multi-chain lending project and is a fork of Compound.

Cream Finance, a DeFi lending protocol that shares a similar codebase to Compound, also suffered a flash loan reentrancy attack last summer. The exploit led to the loss of $19 million in crypto tokens from the project.


© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Osato is a news reporter at The Block as part of the crypto ecosystems team that focuses on DAO governance, staking, blockchain layers, and DeFi. He was previously a news reporter at Cointelegraph. Based in Lagos, Nigeria, he enjoys crosswords, poker, and attempting to beat his Scrabble high score. Follow him on Twitter at @OsatoNomayo.

More by Osato Avan-Nomayo