Agave Finance Hacked, Around 5.3M USD taken
- Agave is currently investigating an exploit on the Agave Finance Protocol.
- Hundred Finance on gnosis chain also seems to have been hit with similar attack.
Agave is a decentralized non-custodial money market protocol where users can participate by borrowing or lending money through the application.
Twitter User named Shegen was one of the first users Agave who has tweeted about this Hack. Agave Team has tweeted a thread explaining the problem. But they have not yet disclosed much information. The team has told its users: Agave is currently investigating an exploit on the Agave Finance protocol. We will update you as soon as we know more. Contracts have been paused until we figure out how to resolve the situation. This is only information which is available publicly around 09:02 PM IST, 15th March.
As a result of this attack, Agave Token is 25% down. We can see this results on CoinMarketCap.
Luigy 𝗹𝗲𝗺𝗼𝗻#1337 who is the discord moderator has also posted the same information. Team is trying to calm its users and understanding the reason behind the attack on discord.
According to us, It seems that protocol is hacked and all funds are borrowed with no collateral. So we will recommend our readers to not deposit any funds until team finds the solution. We can find all the transaction details on here It appears to be an Oracle attack around WETH liquidity on SushiSwap/UniSwap.
Martin Köppelmann who is the Founder of Gnosis Chain which is the same chain on which Agave protocol is built has tweeted in reply to Shegen that: can’t make any promises, and first we should really understand what happened. But I would generally be supportive of a GnosisDAO proposal that would try to prevent users from loosing funds by e.g. borrowing funds/ investing funds into @Agave_lending .
- 08:58 PM IST, 15th March: According to the twitter thread by BlockSec Team, Agave on the XDai Chain was attacked. They suspect that the attack is through an untrusted external call. The attacker invoked the
liquidateCallfunction to liquidate himself even if he doesn’t have any debt. In the liquidation process, the contract invoked an untrusted external call to the attacker’s contract. In this external call, the attacker deposits 2728 WETH from flash loan to mint 2728 aWETH and borrows everything that is borrowable. When the external call ends,
liquidateCallfunction burns 2728 aWETH and transfers 2728 WETH to the liquidator. Here is a reference image for better understanding.
Also in a quick turn of events Hundred Finance on gnosis chain also seems to have been hit. Attack is similar to Agave Finance.
According to the tweet of twitter user Daniel Von Fange: The XDAI token allowed the attacker to run code after a transfer (callAfterTransfer), and this was used attack reentrancy in each protocol.