DeFi protocol Grim Finance misplaced $30M in 5x reentrancy hack
The decentralized finance (DeFi) protocol Grim Finance reported $30 million in losses because of a reentrancy exploit of the platform’s deposits.
Grim Finance formally announced on Dec. 18 that an “external attacker” had exploited the DeFi platform, stealing “over $30 million” value of cryptocurrencies.
According to Grim Finance, the hack was an “advanced attack,” with the attacker exploiting the protocol’s vault contract by 5 reentrancy loops, which allowed them to pretend 5 extra deposits right into a vault whereas the platform is processing the primary deposit.
Grim paused all vaults after the assault to attenuate the chance for future funds: “We have paused all of the vaults to prevent any future funds from being placed at risk, please withdraw all of your funds immediately.”
Grim famous that additionally they notified entities concerned in working main cryptocurrencies like Circle (USDC), DAI, and the cross-chain protocol AnySwap relating to the attacker handle to freeze additional fund transfers.
Grim Finance positions itself as a “compounding yield optimizer” constructed on DeFi-focused blockchain protocol, Fantom, permitting customers to stake liquidity supplier tokens by using complicated vault methods.
According to the Fantom (FTM) Blockchain Explorer information, Grim Finance Exploiter continued transacting on Dec. 19. One of the addresses related to the exploit holds $1.2 million in Bitcoin (BTC), $1.7 million in SpookyToken (BOO) alongside $13,700 in FTM tokens.
Some within the crypto neighborhood recommended that Grim Finance ought to maintain accountability for the exploit because of failing to undertake correct reentrancy safety instruments. DeFi safety platform Rugdoc.io additionally argued that the protocol gave the person “more privilege than is necessary.”
5) So what was the large mistake of grim finance?
1. No reentrancy guard on a sample that completely wants it (@0xPaladinSec all the time factors this out)
2. Giving the person extra privilege than is critical: There is completely no want for the person to have the ability to select the deposit token
— Rugdoc.io (@RugDocIO) December 18, 2021
Related: Finance Redefined: Two DeFi hacks prime $120M, and $500M Algo Fund launches, Nov. 26–Dec. 3
The rising recognition of DeFi has triggered quite a few new challenges for the cryptocurrency business as hackers had been dashing to take advantage of the issues of the rising business. In early December, DeFi protocol BadgerDAO was reportedly exploited to the tune of $120 million.