- Agave Finance Team is running an investigation into what appears to be a Re-Entrancy Attack that affected Agave and Hundred Finance on Gnosis Chain.
- 2116 ETH ($5.5M) was lost from Agave, and 2363 ETH ($6.2M) from Hundred Finance, giving a total of $11.7M stolen by the anonymous attacker.
This article is a follow-up to yesterday’s article of a $5.4 M hack of Agave Protocol. Twitter User Shegen has explained this hack in a Twitter thread about this hack. It is the first attack we’ve seen on the Gnosis (xDai) chain and the first time we’ve seen hackers directly target two protocols like this.
The attacks were made possible due to the design of the xDAI token, which contains the function callAfterTransfer(), creating a reentrancy vulnerability. Additionally, using flash loans as initial collateral, the attacker(s) nested additional borrow functions inside one another, increasing the amount borrowed before the protocol could update the debt balance. Repeating this process led to borrowing assets worth far more than the collateral supplied.
In the case of Agave; The stolen funds were then sent to the attacker’s ETH address, and after a few hours attacker sent 2116 ETH ($5.5M) to Tornado Cash, whereas in the case of Hundred Finance; the attacker then sent the stolen funds to the attacker’s ETH address and after a few hours attacker sent 2363 ETH ($6.2M) to Tornado Cash.
Mudit Gupta, who is Blockchain Security Researcher, has proposed a solution to mitigate such attacks from taking place in his Twitter thread, i.e., checks-effects-interactions pattern. Lossless Defi, which is a crypto hack mitigation tool, has tweeted that they are ready to help Agave in further investigation. Meanwhile, Agave Team on discord has told its users that the team will not contact any user personally to advise the user to stay away from hackers.