Hackers looted more than $30 million from a decentralized finance project over the weekend, leading to a user exodus that saw more than 95% of the tokens invested in the project withdrawn.
The popular yield farming project Grim Finance, which started the weekend with $99 million staked, was left with just $4 million worth of fantom tokens after users drained the project’s vaults to prevent further losses.
Learn more: PYMNTS DeFi Series: What is Yield Farming and Liquidity Mining?
The theft comes days after blockchain intelligence firm Chainalysis released its 2021 Crypto Crime Report, revealing that more than $7.7 billion has been stolen from cryptocurrency investors this year, up more than 80% from 2020. While Grim Finance’s developers described the robbery as an “advanced attack” that exploited a weakness in the smart contracts controlling the project, a type of fraud known as a “rug pull” was the biggest source of losses.
After tweeting, “It is with heavy hearts that we inform you that our platform was exploited today by an external attacker, the Grim Finance project announced that it had paused all withdrawals “to prevent any future funds from being placed at risk,” adding “please withdraw all of your funds IMMEDIATELY.”
A Known Bug
Built on the Ethereum-compatible Fantom Opera blockchain, Grim Finance is a “yield optimizer” — a project that lets lets users lock cryptocurrency tokens earned by investing in other DeFi lending/borrowing projects and decentralized exchanges (DEXs) into “vaults” to earn more interest on the funds gained.
Grim Finance, a project whose logo is a crimson-cloaked specter of death carrying a sickle, explained that the losses were caused by a “reentrancy” bug in the smart contracts that run the platform. Essentially, it allows hackers to make a legitimate deposit and then make several fake ones, tricking the vaults into releasing the phantom funds once the original transaction is complete.
The stolen fantom (FTM) were then transferred to other DEXs and swapped for other cryptocurrencies as the hacker made off with the ill-gotten gains.
One of the first comments on the @GrimFinance Twitter thread announcing the loss disputed the developers’ claim that the theft was an “advanced attack,” claiming that reentrancy bugs were a well-known type of exploit that an audit should have caught.
That sentiment was shared by Rugdoc.io, a community-organized DeFi security project that laid out what happened in very simple-to-understand detail, said the hack resulted from a “big no-no” — the project’s failure to include a “reentrancy guard” at a place in the smart contract “that absolutely needed it,” as well as giving users too much control of the process.
Grim’s audit by Solidity Finance showed that the project was aware of that type of exploit, claiming that “ReentrancyGuard is used in relevant locations” to prevent reentrancy attacks.
Solidity tweeted out a mea culpa, saying the Grim Finance auding happened in the fall, when it was growing rapidly.
“This audit was performed by an analyst who was new to the team & while our CTO was on vacation; and unfortunately this issue was not caught in our peer review process,” it said. “We are disappointed that this issue, which we regularly recommend fixing, slipped through our process while we were overwhelmed and onboarding new analysts in August.”
Solidity said that it has audited more than 900 projects, and this was only the second exploit that it missed.
“Since then,” it added “we’ve expanded our team further, bolstered internal skillsets, and improved our peer review process.”