‘Unlucky’: Agave and Hundred Finance DeFi protocols exploited for $11M

Published at: March 16, 2022

A hacker has made off with approximately $11 million in Wrapped ETH, Wrapped BTC, Chainlink, USDC, Gnosis, and Wrapped XDAI after using a “re-entrancy” attack on DeFi lending protocol applications Agave and Hundred Finance.

The attack comes within 24 hours of news breaking of the Deus Finance exploit, where hackers stole over $3 million in Dai and Ethereum from the lending contract platform.

Agave’s token, AGVE, dropped by 20 per cent following the attack, according to data from CoinGecko. Hundred Finances’ token HND fell 3.5 per cent after it announced the exploit, however it’s since recovered to hit a 24-hour-high.

“Agave is currently investigating an exploit on the agave finance protocol”, Agave tweeted on Tuesday 15th at 1:30pm UTC, “We will update you as soon as we know more.” It noted that the contracts have been paused until the situation is resolved.

The Hundred Finance team also tweeted it was exploited on Gnosis chain, and has paused its markets whilst it pursued investigations.

According to on-chain analysis, the address associated with the attacker has sent over 2,100 ETH, worth over $5.5 million, to a crypto mixer in an attempt to launder the stolen tokens.

Related:Deus Finance exploit: Hackers get away with $3M worth of DAI and Ether

Solidity developer and creator of an NFT liquidity protocol app, Shegen (@shegenerates) tweeted that she lost $225,000 in the exploit, and that her investigations revealed the attack worked by exploiting a wETH contract function on Gnosis Chain that allowed the attacker to continue borrowing crypto before the apps could calculate the debt, which would prevent further borrowing.

The attacker ran this exploit, continually borrowing against the same collateral they were posting until the funds were drained from the protocols.

Shegen told Cointelegraph that while the smart contract on Agave is essentially the same as Aave, which secures $18.4B, “every security researcher has audited it,” she said “so it’s reasonable to assume the contract is safe.”

“I think this hack stands out more than some bigger ones,” Shegen said, noting that even if it's a smaller hack compared to others that stole millions more, the similarity to Aave meant “it seems top tier safe, but wasn't, and that break of trust hurts.”

“It’s like you can't even trust “safe” code.”

Blockchain security researcher Mudit Gupta says the difference between Aave and Agave is that “Aave actively checks for re-entrancy before listing tokens on the main net to avoid similar attacks.”

Shegen stated that she did not blame the Agave developers for failing to prevent the attack.

“Agave was used in an unsafe way”, she said, “maybe the developer should not have allowed tokens with callbacks in them to be used in the platform, or added more re-entrancy guards.”

“Curve, for example, was not hacked today, because it has extra re-entrancy guards, but I don't really blame Luigy and the Agave team because it's so unlikely that this would have happened, and slipped past many people.”

Shegen also didn’t point the blame at Gnosis for creating tokens with a callback function which the hacker exploited, saying that the feature stops users from accidentally losing their crypto.

“That's actually a great feature for bridged tokens, it's just a really unfortunate, and unlucky circumstance in my opinion.”

Tags
Related Posts
How do DeFi protocols get hacked?
The decentralized finance sector is growing at a breakneck pace. Three years ago, the total value locked in DeFi was a mere $800 million. By February 2021, the figure had grown to $40 billion; in April 2021, it attained a milestone of $80 billion; and now it stands at above $140 billion. Such rapid growth in a new market could not but attract the attention of all manner of hackers and fraudsters. According to a report by crypto research company, since 2019, the DeFi sector has lost about $284.9 million to hacks and other exploit attacks. Hacks of blockchain ecosystems …
Technology / Aug. 14, 2021
Polygon upgrade quietly fixes bug that put $24B of MATIC at risk
Ethereum-based layer two scaling network Polygon has quietly fixed a vulnerability that put almost $24 billion worth of its native token MATIC at risk. According to a Dec. 29 blog post from Polygon, the “critical” vulnerability in the network’s Proof-of-Stake (PoS) Genesis contract was first highlighted by two whitehat hackers on Dec. 3 and Dec. 4 via blockchain security and bug bounty hosting platform Immunefi. All you need to know about the recent Polygon network update. ✅A security partner discovered a vulnerability ✅Fix was immediately introduced ✅Validators upgraded the network ✅No material harm to the protocol/end-users ✅White hats were paid …
Blockchain / Dec. 30, 2021
Jump Crypto replenishes funds from $320M Wormhole hack in largest-ever DeFi 'bailout'
On Thursday, Jump Crypto, a crypto venture capital firm that owns Certus One, the developer of the Wormhole token bridge, announced it had deposited 120 thousand Ether (ETH) into a Solana-Ethereum bridge that suffered a devastating exploit. The day prior, hackers fraudulently minted 120 thousand wrapped Ether (wETH) worth $321 million on the Solana (SOL) platform, then redeemed 93,750 wETH for ETH on the Ethereum network while swapping the rest for other altcoins on the Solana network. The cross-chain ETH-wETH is supposed to have an exchange ratio of 1:1 against one another. Therefore, unauthorized minting of wETH leads to significant …
Technology / Feb. 3, 2022
STEPN impersonators stealing users' seed phrases, warn security experts
Peckshield, a prominent blockchain security firm, exposed the existence of numerous phishing websites for the Web3 lifestyle app STEPN on Monday. Hackers insert a forged MetaMask browser plugin through which they can steal seed phrases from unsuspecting STEPN users, according to Peckshield. When these cybercriminals obtain the seed phrase, they gain complete control over the STEPN user's dashboard where they may connect their stolen wallets to their own or "claim" a giveaway as per Peckshield. #PeckShieldAlert #phishing PeckShield has detected a bath of @Stepnofficial phishing sites. They insert a false Metamask browser extension leading to stealing your seed phrase or …
Adoption / April 25, 2022
Crypto hacks are set to hit all-time highs in 2022, analyst explains
Reducing the amount of hacking by improving cybersecurity should be considered a top priority for the crypto industry, said Kim Grauer, director of research of blockchain intelligence firm Chainalysis. As pointed out by the firm, this year could outpace 2021 in terms of crypto stolen through hacks. The vast majority of these exploits have been targeting the field of decentralized finance. “This can't go on in the industry because people are going to lose faith in investing in DeFi platforms”, Grauer said in an interview with Cointelegraph. Unlike centralized exchanges, which have improved their resiliency to crypto hacks, decentralized protocols …
Blockchain / Oct. 19, 2022