DeFi project protocol Grim Finance faced a security breach that resulted in net losses of over $30 million. The attack is believed to be one of the largest in the Fantom Blockchain.
On December 19, Grim Finance, which is a Smart Yield Optimizer Platform, built on the Fantom Opera, lost $30 million worth of tokens after it was hacked by what the DeFi protocol network stated as an “external attack.” The strike has been deemed as an advanced attack in which the hacker exploited the protocol’s vault contract.
The perpetrators of the attack hit the protocol’s vault contract through five reentrancy loops, which allowed them to fake five additional deposits into a vault while the platform is processing the first deposit. They used a reentrancy loophole which alternatively gave access to add some of the fake deposits into a vault while the initial transaction was processed, deceiving the protocol. The attacker had funded both Ethereum and Binance Smart Chain wallets from Tornado cash by creating a malicious token just an hour before hacking into Grim Finance. After which the miscreant laundered the funds through stablecoin transfers by bridging the stolen digital asset funds from the Fantom mainnet to the ETH mainnet for USD Coin (USDC) and DAI.
In a measure to curb future attacks, the DeFi protocol platform has adjourned access to all vaults and recommended users withdraw their funds. The Grim Finance team stated in a tweet that as the exploit happened in the vault contract, all of the vaults and deposited funds were at risk. They further added,
“We have contacted and notified Circle (USDC), DAI, and AnySwap regarding the attacker address to potentially freeze any further fund transfers,”
It seems that the swindled tokens have already been routed to other Fantom-based decentralized exchanges such as AnySwap and SpookySwap and exchanged for other tokens such as USD Coin [USDC].
Reentrancy- a necessity for DeFi
Rugdoc.io, a decentralized finance security platform, was noted saying that the basic mistake of Grim Finance was not to have a reentrancy guard and provide the user with unwanted entitlements such as to be able to choose their own deposit token. They stated in a tweet to not build multi-billion dollar projects unless they acquired a reentrancy guard. The security platform went on to add,
“Hopefully all projects can draw lessons from this incident that there is much knowledge most experienced solidity devs have at hand,”