"Unfortunate": $11M stolen from Agave and Hundred Finance DeFi protocols

A hacker stole approximately $11 million in Wrapped ETH, Wrapped BTC, Chainlink, USDC, Gnosis, and Wrapped XDAI after a "reentrancy" attack on DeFi lending protocol apps Agave and Hundred Finance.

The attack came within 24 hours of news of the Deus Finance breach, with hackers stealing more than $3 million in Dai and ETH from lending contract platform Deus Finance.

Agave’s token, AGVE, fell 20 percent after the attack, according to data from CoinGecko. Hundred Finances’ token, HND, fell 3.5% after the breach was announced, but has since recovered to a 24-hour high.

"Agave is currently investigating a vulnerability in the Agave Finance protocol," Agave tweeted at 1:30 pm UTC on Tuesday 15th, "We will update you as soon as we know more information." It noted that the contract has been suspended until the situation is resolved.

The Hundred Finance team also tweeted that it was exploited on the Gnosis Chain and suspended its marketplace while it investigates.

According to on-chain analysis, addresses associated with the attackers have sent over 2,100 ETH, worth more than $5.5 million, to a cryptocurrency mixer in an attempt to launder the stolen coins.

Solidity developer and NFT liquidity protocol app creator Shegen (@shegenerates) tweeted that she lost $225,000 in the exploit, which her investigation revealed was exploited by exploiting a wETH on the Gnosis Chain A contract function that allows an attacker to continue to borrow cryptocurrency until the application is able to calculate the debt, which would prevent further borrowing.

Attackers exploit this vulnerability by repeatedly lending and lending with the same collateral they posted until the funds are drained from the protocol.

Shegen told Cointelegraph that while the smart contract on Agave is essentially the same as Aave, which secures $18.4 billion, “it’s been audited by every security researcher,” she said, “so it’s reasonable to assume that the contract is secure.” .”

"I think this hack is more notable than other larger attacks," Shegen said, noting that while the hack was small compared to other hacks that have stolen millions of dollars, But the similarities to Aave mean, "It appears to be top-level security, but it's not, and it hurts that trust to be broken."

"It's like you can't even trust 'secure' code."

Mudit Gupta, a blockchain security researcher, said that the difference between Aave and Agave is that "Aave will actively check for reentrancy before listing tokens on the mainnet to avoid similar attacks."

Shegen said she doesn't blame Agave's developers for failing to prevent the attack.

“Agave is being used in an insecure way,” she said, “Maybe developers should not allow tokens with callbacks to be used on the platform, or add more reentrancy protection.”

"Curve, for example, wasn't hacked today because it had extra re-entrancy protection, but I don't actually blame Luigy and the Agave team because it's very unlikely to happen, and it passed a lot of people."

Shegen also did not point the blame at Gnosis, although it created the callback-enabled token exploited by the hackers. Shegen said this feature can prevent users from accidentally losing their cryptocurrency.

“This is actually a function of a good bridge token, and it’s just a very unfortunate, unlucky situation in my opinion.”