An attacker has siphoned over $11 million from Agave and Hundred Finance in what appears to be a flash loan reentrancy attack on both DeFi protocols on the Gnosis chain.
The DeFi platforms each confirmed the hacks in Twitter posts on Tuesday, stating that their contracts have been paused to forestall further damage. The attack marks the second flash loan exploit recorded today as Deus Finance DAO also lost $3 million.
Examining the transaction breakdown data for both exploits on Tenderly, the attacker exploited a reentrancy vulnerability in both protocols. Reentrancy is a Solidity programming language vulnerability that allows an attacker to trick a protocol’s contract into making an external call to an untrusted contract.
Once this happens, the hacker can then use this untrusted contract to make repeated calls to the protocol to drain its funds.
In the case of Agave and Hundred Finance, the attacker introduced a reentrancy bug on both protocols paving the way for a flash loan exploit. The reentrancy vulnerability appears centered on the “callAfterTransfer” function, allowing the hackers to continue borrowing from the protocols — siphoning off massive swathes of liquidity.
In essence, the attacker was making recursive calls to siphon off user funds without having to put up additional collateral. Then the attacker terminated the exploit with a “liquidationCall,” paying back their initial flash loan while still holding significant liquidity from both projects.
Flash loan attacks continue
Agave is a lending protocol on the Gnosis chain and is a fork of the popular Aave protocol. Hundred Finance is a multi-chain lending project and is a fork of Compound.
Cream Finance, a DeFi lending protocol that shares a similar codebase to Compound, also suffered a flash loan reentrancy attack last summer. The exploit led to the loss of $19 million in crypto tokens from the project.
Read full story on The Block