Defi Protocols Agave and Hundred Finance Suffer Hack of $11M

Key Insights

  • In a latest Defi exploit, over $11 million from Agave and Hundred Finance was wiped off.

  • The attacker introduced a reentrancy bug and used a flash loan exploit to siphon funds.

  • After the protocols announced the hack, their native tokens saw a dip.

Defi protocols getting hacked have been synonymous with crypto markets as crypto crimes have risen over the years. Another Defi exploit came to light on Tuesday when an attacker siphoned over $11 million from Agave and Hundred Finance.

Flash Loan Reentrancy Attacks

Over $11 million has been wiped off in what appears to be a flash loan reentrancy attack on both Defi protocols on the Gnosis chain. The hacker took the stolen funds in Wrapped ETH, Wrapped BTC, Chainlink, USDC, Gnosis, and Wrapped XDAI.

Both the Defi platforms confirmed the hacks through Twitter posts on Tuesday, stating that their contracts have been paused to avoid further damage. Agave also mentioned that their team is currently investigating the exploit on the Agave finance protocol.

The attacker exploited a reentrancy vulnerability in the two Defi protocols.

Reentrancy is a Solidity programming language vulnerability that lets an attacker trick a protocol’s contract into making an external call to an untrusted contract. After the call happens, the hacker can use this suspicious contract to make repeated calls to the protocol to wash away its funds.

For Agave and Hundred Finance, the hacker introduced a reentrancy bug on both protocols allowing for a flash loan exploit. The same allowed hackers to continue borrowing from the protocols.

Seemingly, the attacker was making repetitive calls to withdraw funds without putting up additional collateral. Notably, the address associated with the attacker has sent over 2,100 ETH, worth over $5.5 million, to a crypto mixer to launder the stolen tokens.

Blockchain security researcher Mudit Gupta thinks that the hack was possible because the official bridged tokens on Gnosis are non-standard and have a hook that calls the token receiver on every transfer. The same enables reentrancy attacks.


Defi Attacks Rising

The recent attack marks the second flash loan exploit on the same day after Deus Finance DAO lost $3 million in a similar attack. Agave is a fork of the lending protocol Aave.

Gupta, however, believes that the difference between Aave and Agave is that ‘Aave actively checks for reentrancy before listing tokens on the main net to avoid similar attacks.’

After the attack, both the protocols’ tokens saw a price decline. AGVE, the token of non-custodial money market and lending protocol Agave, lost over 25% price on Tuesday. Likewise, after announcing the exploit, Hundred Finances’ token HND was down 5.8%.

Notably, Cream Finance, another Defi lending protocol with a similar codebase to Compound, suffered a flash loan reentrancy attack last summer. The exploit led to a $19 million loss in crypto from the protocol.

This article was originally posted on FX Empire