Agave and Hundred Finance faced flash loan attack: $11M tanked

32

Two Defi Protocols on the Gnosis chain faced a Flash loan attack and resulted in a big amount of loss. 

Defi ( Decentralized finance) is a concept that was introduced in the crypto industry in Q4 2018 but resulted in some better crypto trends in 2020. Due to the highly decentralized nature and new to this space there are huge vulnerability issues in the Defi-based platforms and these are causing huge losses because of loopholes and Vulnerabilities. 

On 15 March, Agave lending platform confirmed on Twitter that they faced a hacking attack and they are investigating this incident.

Due to this incident, the smart contract protocol paused its operations till the solution of the main issue of the platform to ensure the protection of the funds locked in the smart contract. 

On the same day, Deus Finance DAO also got exploited because of the flash loan attack. Deus Finance lost around $3 million.

Tenderly did an investigation on these two incidents. According to the investigation, hackers exploited the Protocols because of the reentrancy vulnerability in the smart contract. 

Reentrancy is a Solidity programming language vulnerability, which helps bad actors to trick the smart contract to give access to an external call to an untrusted smart contract. 

In the case of Agave and Hundred Finance, hacker/hackers tricked the platform with the help of a reentrancy bug to open the portal to facilitate flash loan attacks. Both of these two protocols lost around $11 million in total. 

Gleb Zykov, the Co-Founder and CTO of a DeFi security and analytics company HashEx, shared his opinion on this attack.

Gleb said that Agave and Hundred Finance are two decentralized liquidity protocols that have been recently hacked using reentrancy attacks. This bug has already been known for many years, and many analytical tools for reentrancy attack prevention have been developed by different companies and enthusiasts. There are also libraries of trustworthy smart contract code, such as ReentrancyGuard from OpenZeppelin that help to protect from reentrancy attacks. On top of that, the well-known principle ‘checks, effects, interactions’ allows you to defend your smart contracts against such attacks.

In the case of the Agave and Hundred protocols, both of them had a typical fork problem: there were tokens deposited to the protocols that were incompatible with their original design. And those who made the fork, seemingly, did not know it. The same bug was exploited in Cream Finance: its developers added a token with a callback function, and that allowed malicious actors to withdraw ETH worth 18.8 million USD from Cream Finance using a simple reentrancy attack on its smart contract.

Flash loan attack: best option for hackers 

Flash loan is a feature in the Defi Ecosystem, which allows traders to take loans & buy-sell assets without registration of any centralized crypto wallet under high price differences of crypto assets in between two or more exchanges. 

Flash loan is a unique feature but it is continuously causing big issues for the Defi protocol because flash loan attacks are much easier for hackers to trick Defi protocols and steal money without any need of personal identity details.

Read also: Plans of Coinbase to start derivatives business in the US