Grim Finance DeFi Protocol Hacked for $30 Million in Fantom Tokens

Grim Finance is the latest DeFi (Decentralised Finance) protocol to fall victim to a hack in which attackers exploited a flaw in the vault contract to drain millions.

On December 19, Grim Finance, a compounding yield optimiser on the Fanton blockchain, was targeted by an “advanced attack” where hackers drained an estimated US$30 million in Fantom (FTM). In a series of tweets, Grim explained that the unknown attackers exploited a flaw in its vault contract.

Smart Contract Exploited

The hackers used a reentrancy attack, which in this case allowed an attacker to fake additional withdrawals out of a smart contract while the initial transaction was still in progress and never updated the balance of the receiver, effectively allowing the loop to continue.

In reality, the attack can be prevented with not too much effort, mainly by updating a balance after a transaction is sent rather than before. According to Quantstamp senior research engineer Martin Derka, “if no internal state updates happen after an ether transfer or an external function call inside a method, the method is safe from the reentrancy vulnerability”.

As of December 19, all deposits into Grim Finance vaults remain paused to prevent further theft. The Grim team has contacted Circle (USDC), DAI, and AnySwap regarding the attacker’s address to potentially freeze any further fund transfers.

Rough Month for Some DeFi Investors

Grim Finance is the newest addition to the list of protocols that have been hacked, bringing the total up to over US$600 million stolen this month alone. The US$31 million MonoX hack just missed the cut, taking place at the end of November.

According to a tweet by RugDoc, “Hopefully all projects can draw lessons from this incident that there is much knowledge most experienced solidity devs have at hand”, adding that “if you haven’t acquired this yet, don’t build multimillion-dollar projects”.