DeFi protocol Grim Finance lost $30M in 5x reentrancy hack

Published at: Dec. 20, 2021

The decentralized finance (DeFi) protocol Grim Finance reported $30 million in losses due to a reentrancy exploit of the platform’s deposits.

Grim Finance officially announced on Dec. 18 that an “external attacker” had exploited the DeFi platform, stealing “over $30 million” worth of cryptocurrencies.

According to Grim Finance, the hack was an “advanced attack,” with the attacker exploiting the protocol’s vault contract through five reentrancy loops, which allowed them to fake five additional deposits into a vault while the platform is processing the first deposit.

Grim paused all vaults after the attack to minimize the risk for future funds: “We have paused all of the vaults to prevent any future funds from being placed at risk, please withdraw all of your funds immediately.”

Grim noted that they also notified entities involved in operating major cryptocurrencies like Circle (USDC), DAI, and the cross-chain protocol AnySwap regarding the attacker address to freeze further fund transfers.

Grim Finance positions itself as a “compounding yield optimizer” built on DeFi-focused blockchain protocol, Fantom, allowing users to stake liquidity provider tokens by employing complex vault strategies.

According to the Fantom (FTM) Blockchain Explorer data, Grim Finance Exploiter continued transacting on Dec. 19. One of the addresses associated with the exploit holds $1.2 million in Bitcoin (BTC), $1.7 million in SpookyToken (BOO) alongside $13,700 in FTM tokens.

Some in the crypto community suggested that Grim Finance should hold responsibility for the exploit due to failing to adopt proper reentrancy protection tools. DeFi security platform Rugdoc.io also argued that the protocol gave the user “more privilege than is necessary.”

5) So what was the big mistake of grim finance?1. No reentrancy guard on a pattern that absolutely needs it (@0xPaladinSec always points this out)2. Giving the user more privilege than is necessary: There is absolutely no need for the user to be able to choose the deposit token

— Rugdoc.io (@RugDocIO) December 18, 2021

Related: Finance Redefined: Two DeFi hacks top $120M, and $500M Algo Fund launches, Nov. 26–Dec. 3

The rising popularity of DeFi has triggered a number of new challenges for the cryptocurrency industry as hackers were rushing to exploit the flaws of the emerging industry. In early December, DeFi protocol BadgerDAO was reportedly exploited to the tune of $120 million.

Tags
Related Posts
Cream Finance to repay stolen Ether and Amp via protocol fees
Decentralized finance (DeFi) protocol Cream Finance will pay back its users following a $18.8 million flash loan hack that occurred on Aug. 30. Cream has published a post-mortem to the AMP flash loan exploit, promising to replace the stolen Ether (ETH) and Amp (AMP) tokens by allocating 20% of all protocol fees until the debt is paid entirely. Cream will also post collateral with relevant parties at AMP and its creators, Flexa digital payments network, to secure the debt. According to the post-mortem report, the latest flash loan exploit was the first time Cream Finance has suffered a direct exploit, …
Decentralization / Sept. 1, 2021
​​Cream Finance DeFi platform loses $19M in a flash loan hack
Cream Finance, a major decentralized finance (DeFi) protocol focused on lending, has suffered a severe exploit, with a hacker stealing nearly $19 million from its platform. An unknown hacker has managed to gain $18.8 million in the latest flash loan exploit of the Cream Finance protocol through a reentrancy bug introduced by the Amp token, according to an investigation by blockchain security firm PeckShield. Announcing the news Monday, Cream Finance said that the protocol has stopped the exploit by pausing supply and borrow contracts on the Amp token. “No other markets were affected,” Cream Finance stated. C.R.E.A.M. v1 market on …
Decentralization / Aug. 30, 2021
Poly Network hacker appears ready to return stolen funds
Following a massive $600-million exploit of cross-chain protocol Poly Network, the Poly Network hacker has claimed his willingness to return the stolen cryptocurrency funds. At about 4:00 am UTC on Wednesday, the hacker sent an Ethereum transaction to themselves, stating that they were “ready to return the fund” in an embedded transaction message. In a subsequent message, the hacker asked for a multisig wallet address to return the funds to Poly Network. “Failed to contact the poly. I need a secured multisig wallet from you,” the hacker noted. Poly Network’s Twitter account posted an update on Wednesday, providing three separate …
Decentralization / Aug. 11, 2021
The radical need for updating blockchain security protocols
Decentralized finance (DeFi) is here to stay with over $100 billion in total value locked (TVL), highlighting the evidence of faith in these new financial tools. This investment will continue to increase, but it appears that with each new record in TVL, there is another network attack being reported with astronomical losses. Crypto crime dropped 57% in 2020, but DeFi hacks surged, costing companies and investors billions of U.S. dollars. In March alone, there were several attacks within just a five-day period, with Paid Network losing $180 million. Later in May, PancakeBunny lost more than $200 million in a flash …
Decentralization / June 25, 2021
ImmuneFi report $10B in DeFi hacks and losses across 2021
Decentralized finance, or DeFi, security platform and bug bounty service ImmuneFi published an official report on Thursday which calculated the total volume of losses in the cryptocurrency markets in 2021. According to its report, the company found that losses resulting from hacks, scams and other malicious activities exceeded $10.2 billion dollars over the past year. Responsible for protecting over $100 billion worth of assets for a number of well-established DeFi protocols, including Synthetix, Chainlink, SushiSwap and PancakeSwap, among others, ImmuneFi has regularly facilitating seven-figure pay-outs to whitehat hackers and other good-willed entities for preventing protocol compromises. According to the report, …
Decentralization / Jan. 7, 2022