- This morning Grim Finance platform was exploited by an external attacker.
- The attacker’s address has been identified with over 30 million dollars.
- The attacker attacked using the function titled beforeDeposit() from Grim Finance vault strategy entering a malicious token contract.
- Grim Finance has paused all of the vaults to prevent any future funds from being placed at risk.
- They have advised people to please withdraw all of their funds IMMEDIATELY.
This morning Grim Finance platform was exploited by an external attacker. The attacker’s address has been identified with over 30 million dollars worth of theft here.
This attack was an advanced attack. The attacker attacked using the function titled beforeDeposit() from Grim Finance vault strategy entering a malicious token contract. The malicious token contract can start 5 rentrancy loops from safeTransferFrom(), wherein all 5 rentrancies, the pool value is set to the current balance().
On the last safeTransferFrom(), the reentrancy loop is broken, and some wants can be transferred to the strategy, which will increase the amount to put the vault in a state to mint shares. On the unwinding of the 5 rentrancies, each loop will see that the _amount is not 0, and mint the corresponding shares, mint the same share count 5x (the number of rentrancy loops).
Grim Finance has paused all of the vaults to prevent any future funds from being placed at risk. They have advised people to please withdraw all of their funds IMMEDIATELY. The exploit was found in the vault contract, so all vaults and deposited funds are currently at risk. Grim Finance has contacted and notified Circle (USDC), DAI, and AnySwap regarding the attacker address to potentially freeze any further fund transfers.
Many projects on the chain have reached out to Grim Finance with support during this difficult time including Beefy, Tomb, SpiritSwap and FTM Alerts. In addition, they have helped dramatically in providing updates to the community regarding the situation.
The steps to withdraw all of the funds IMMEDIATELY are:
- Grab a Flashloan for XXX & YYY tokens (WBTC-FTM e.g.)
- Add liquidity on SpiritSwap
- Mint SPIRIT-LPs
- call depositFor() in GrimBoostVault with token==ATTACKER, user==ATTACKER
- Leverage token.safeTransferFrom for re-entrancy
- goto (4)
- In the last step on re-entrancy call depositFor() with token==SPIRIT-LP, user==ATTACKER
- Amount of minted GB-XXX-YYY tokens is increased in every level of re-entrancy
- Attacker ends up holding huge amount of GB-XXX-YYY tokens
- Withdraw GB tokens and get more SPIRIT-LP tokens back
- Remove liquidity and get more XXX and YYY tokens
- Repay Flashloan
- ChargeDeFi Hacked: The Attacker Gained Approximately $500K
- Is CoinMarketCap Hacked? | Bitcoin Price Touches $779 Billion
- Brinc Finance Hacked: $1.1M DAI, 14.31M BRC & 3.2M gBRC Stolen
- NFT Market Vulcan Forged Hacked: Over 4.5 Million PYR has been Stolen
- AscendEX Hacked: The Hot Wallet is Compromised and the Hacker Got Away With ~$80 Million