Advertisement
Advertisement

Defi Protocols Agave and Hundred Finance Suffer Hack of $11M

By:
Varuni Trivedi
Updated: Mar 16, 2022, 15:49 GMT+00:00

Another Defi exploit has led Agave and Hundred Finance to pause operations while investigations continue to figure out the hack.

FXempire, Defi, Crypto, Hack

In this article:

Key Insights:

  • Over $11 million from Agave and Hundred Finance was wiped off in the latest Defi exploit.
  • The attacker introduced a reentrancy bug and used a flash loan exploit to siphon funds.
  • After the protocols announced the hack, their native tokens saw a dip.

Defi protocols getting hacked have been synonymous with crypto markets as crypto crimes have risen over the years. On Tuesday, another Defi exploit came to light when an attacker siphoned over $11 million from Agave and Hundred Finance.

Flash Loan Reentrancy Attacks

Over $11 million has been wiped off in what appears to be a flash loan reentrancy attack on both Defi protocols on the Gnosis chain. The hacker took the stolen funds in Wrapped ETH, Wrapped BTC, Chainlink, USDC, Gnosis, and Wrapped XDAI.

Both the Defi platforms confirmed the hacks through Twitter posts on Tuesday, stating that their contracts have been paused to avoid further damage. Agave also mentioned that their team is currently investigating the exploit on the Agave finance protocol.

The attacker exploited a reentrancy vulnerability in the two Defi protocols.

Reentrancy is a Solidity programming language vulnerability that lets an attacker trick a protocol’s contract into making an external call to an untrusted contract.

After the call happens, the hacker can use this suspicious contract to make repeated calls to the protocol to wash away its funds.

For Agave and Hundred Finance, the hacker introduced a reentrancy bug on both protocols allowing for a flash loan exploit. The same allowed hackers to continue borrowing from the protocols.

Seemingly, the attacker was making repetitive calls to withdraw funds without putting up additional collateral. Notably, the address associated with the attacker has sent over 2,100 ETH, worth over $5.5 million, to a crypto mixer to launder the stolen tokens.

Blockchain security researcher Mudit Gupta thinks that the hack was possible because the official bridged tokens on Gnosis are non-standard and have a hook that calls the token receiver on every transfer. The same enables reentrancy attacks.

Defi Attacks Rising

The recent attack marks the second flash loan exploit on the same day after Deus Finance DAO lost $3 million in a similar attack. Agave is a fork of the lending protocol Aave.

Gupta, however, believes that the difference between Aave and Agave is that ‘Aave actively checks for reentrancy before listing tokens on the main net to avoid similar attacks.’

After the attack, both the protocols’ tokens saw a price decline. AGVE, the token of non-custodial money market and lending protocol Agave, lost over 25% value on Tuesday. Likewise, after announcing the exploit, Hundred Finances’ token HND was down 5.8%.

Notably, Cream Finance, another Defi lending protocol with a similar codebase to Compound, suffered a flash loan reentrancy attack last summer. The exploit led to a $19 million loss in crypto from the protocol.

About the Author

A Journalism post-graduate with a keen interest in emerging markets across South East Asia, Varuni’s interest lies in the Blockchain technology. As a financial journalist, she covers metric and data-driven stories with a tinge of commentary, and strongly believes in HODLing.

Advertisement