Agave and Hundred Finance have paused operations while investigations continue into the exploit.
A hacker has made off with approximately $11 million in wrapped ETH (wETH), wrapped BTC (wBTC), Chainlink (LINK), USD Coin (USDC), Gnosis (GNO) and wrapped XDAI (wxDAI) after using a “re-entrancy” attack on decentralized finance (DeFi) lending protocol applications Agave and Hundred Finance.
The attack comes within 24 hours of the news breaking of the Deus Finance exploit, where hackers stole over $3 million in Dai (DAI) and Ether (ETH) from the lending contract platform.
Agave token AGVE dropped by 20% following the attack, according to data from CoinGecko. Hundred Finances token HND fell 3.5% after it announced the exploit. However, it’s since recovered to hit a 24-hour high.
“Agave is currently investigating an exploit on the agave finance protocol,” Agave tweeted on Tuesday. “We will update you as soon as we know more.” It noted that contracts have been paused until the situation is resolved.
The Hundred Finance team also tweeted that it was exploited on the Gnosis chain and has paused its markets while pursuing investigations.
According to on-chain analysis, the address associated with the attacker has sent over 2,100 ETH, worth over $5.5 million, to a crypto mixer in an attempt to launder the stolen tokens.
Solidity developer and creator of an NFT liquidity protocol application Shegen (@shegenerates), tweeted that she lost $225,000 in the exploit. Her investigations revealed the attack worked by exploiting a wETH contract function on Gnosis Chain, allowing the attacker to continue borrowing crypto before the apps could calculate the debt preventing further borrowing.
The attacker ran this exploit, continually borrowing against the same collateral they were posting until the funds were drained from the protocols.
Shegen told Cointelegraph that while the smart contract on Agave is essentially the same as Aave, which secures $18.4B, “every security researcher has audited it,” she said. “So it’s reasonable to assume the contract is safe.”
“I think this hack stands out more than some bigger ones,” Shegen said, noting that even if it was a smaller hack compared with others that stole millions more, the similarity to Aave meant “it seems top tier safe, but wasn’t, and that break of trust hurts.”
“It’s like you can’t even trust ‘safe’ code.”
Blockchain security researcher Mudit Gupta says the difference between Aave and Agave is that “Aave actively checks for re-entrancy before listing tokens on the mainnet to avoid similar attacks.”
Shegen stated that she did not blame the Agave developers for failing to prevent the attack.
“Agave was used in an unsafe way”, she said. “Maybe the developer should not have allowed tokens with callbacks in them to be used in the platform, or added more re-entrancy guards.”
“Curve, for example, was not hacked today, because it has extra re-entrancy guards, but I don’t really blame Luigy and the Agave team because it‘s so unlikely that this would have happened, and slipped past many people.”
Shegen also didn’t point the blame at Gnosis for creating tokens with a callback function that the hacker exploited, saying that the feature stops users from accidentally losing their crypto.
“That‘s actually a great feature for bridged tokens, it‘s just a really unfortunate, and unlucky circumstance in my opinion.”