Lending Protocols ‘Agave’ and ‘Hundred Finance’ Exploited for $11 Million

By José Oramas March 17, 2022 In Crypto News, DeFi, Hackers, Tokens

Two lending DeFi (decentralised finance) protocols, Agave and Hundred Finance, have been exploited for approximately US$11 million, both companies confirmed on Twitter this week:

Reentrancy Bug Responsible

Looking at the transaction data on Tenderly, it seems both protocols were hacked using reentrancy attacks, which is a vulnerability in Solidity, the programming language in which Ethereum is written.

Reentrancy is when an attacker manages to trick a function on the Solidity smart contract, called “callAfterTransfer” – the function then makes an external call to another untrusted contract.

Once the hacker has access to the untrusted contract, they can make recursive calls using the protocols’ funds without having to put up additional collateral.

Advertisement

Blockchain and security researcher Mudit Gupta shed some technical light on the hacks, stating that the attacker introduced code after the callAfterTransfer function to run a flash loan exploit, allowing them to borrow funds before the protocols were able to calculate the debt and prevent further borrowing.

Both protocols were hacked on the Gnosis chain, which is an EVM-compatible blockchain. Gupta added that what allowed reentrancy attacks was the fact that “the official bridged tokens on Gnosis are non-standard and have a hook that calls the token receiver on every transfer”:

Agave is a fork of DeFi lending protocol Aave, while Hundred Finance is a fork of Compound. Compound, on one hand, doesn’t follow the check-effects-interaction patterns, which is a recommended practice while making external calls in Solidity.

Aave does follow that practice, but according to Gupta there is a “path via liquidations using which the attacker broke the pattern”.

Tokens Wear the Fallout

Unsurprisingly, the native tokens of both protocols took a blow, both dropping by double digits, according to data from CoinMarketCap. But it seems they have recovered by at least 15 percent from their previous price.

After draining both protocols’ funds, the attacker went on to launder the money using Tornado Cash. Etherscan hasn’t labelled the attacker’s address with a DeFi exploit.

The event comes a week after Fantasm Finance was hacked for US$2.6 million through a flash loan attack, also using Tornado Cash to launder the funds.

José Oramas
Author

José Oramas

José is a journalist and translator with a keen interest in blockchain and cryptocurrencies.

You may also like