A hacker stole 11 million worth of cryptocurrencies after attacking DeFi lending protocol apps Agave and Hundred Finance.
Hacker Stole $11M In DeFi Attack
The hacker stole around $11M in Wrapped ETH, Wrapped BTC, Chainlink, USDC, Gnosis and Wrapped XDAI after using a “re-entrancy” attack on DeFi lending protocol apps Agave and Hundred Finance.
The attack comes 24 hours after the news of the Deus Finance exploit, in which hackers stole over $3 million in Dai and Ethereum from the loan agreement platform.
According to data from CoinMarketCap, Agave’s token AGVE has dropped over 20 percent after the attack. Hundred Finances token HND, on the other hand, recorded a drop of up to 10 percent immediately after the announcement of the attack.
Agave reported the attack on his Twitter account on Tuesday, 15th at 13:30 UTC. Agave made the following statements in her post on Twitter;
Agave is currently investigating an exploit in the Agave finance protocol. We’ll let you know as soon as we know more. We stopped the contracts on the platform until we figured out how to fix the issue.
The Hundred Finance team also tweeted that the Gnosis chain was being abused and paused their markets while they continued their investigation.
According to the on-chain analysis, the address associated with the attacker spent more than 2,100 ETH worth over $5.5 million to launder stolen tokens.
Shegen, a Solidity developer and creator of an NFT liquidity protocol implementation, tweeted that he lost $225,000 in the exploit, and their investigations revealed that the attack took place by exploiting a wETH contract function on the Gnosis Chain that allowed the attacker to continue borrowing cryptocurrencies.
The attacker exploited this vulnerability and continually borrowed against the collateral they had issued until the funds were withdrawn from the protocols.
In his statements, Shegen said that although the smart contract on Agave is basically the same as Aave, which has secured $18.4 billion, every security researcher has audited it, so it does not make sense to assume that the contract is secure.
Difference Between Aave and Agave
The difference between Aave and Agave is, “Aave actively checks for re-entry before listing tokens on the mainnet to avoid similar attacks,” said blockchain security researcher Mudit Gupta.
Shegen stated that he did not blame the Agave developers for not being able to prevent the attack, and said;
Agave has been used unsafely. Perhaps the developer should either not allow tokens with callbacks to be used on the platform or add more re-entry protection.
For example, Curve didn’t get hacked today because it has some extra re-entry protections, but I don’t really blame Luigy and team Agave because it’s very unlikely to happen and has left a lot of people behind.