Following the attack, Agave and Hundred Finance have stopped operations to allow proper investigation into the incident.
After performing a “re-entrancy” attack against DeFi lending protocol applications Agave and Hundred Finance, a hacker made off with around $11 million in Wrapped ETH, Wrapped BTC, Chainlink, USDC, Gnosis, and Wrapped XDAI.
The incident comes less than 24 hours after the Deus Finance heist, in which hackers stole more than $3 million in Dai and Ethereum from the loan contract platform.
According to CoinGecko data, Agave’s token, AGVE, plummeted by 20% following the hack. Following the announcement of the exploit, Hundred Finances’ token HND plummeted 3.5 percent, although it has since recovered to a 24-hour high.
“Agave is now researching an exploit on the agave finance protocol,” Agave tweeted at 1:30 p.m. UTC on Tuesday. “We will update you as soon as we learn more.” The contracts have been put on hold until the problem is handled, according to the report.
The Hundred Finance team also tweeted that it had been exploited on the Gnosis chain and had halted trading while it investigated.
According to on-chain research, the attacker’s address delivered over 2,100 ETH to a crypto mixer, valued over $5.5 million, in an attempt to launder the stolen tokens.
Shegen (@shegenerates), a Solidity developer and creator of an NFT liquidity protocol app, tweeted that she lost $225,000 in the attack and that her investigations revealed that the attacker used a wETH contract function on Gnosis Chain to continue borrowing crypto before the apps could calculate the debt, which would prevent further borrowing.
The attacker used this technique repeatedly, borrowing against the same collateral until the funds in the protocols were depleted.
While the smart contract on Agave is virtually the same as the one on Aave, which secures $18.4 billion, Shegen told Cointelegraph that “every security researcher has audited it,” therefore “it’s reasonable to trust the contract is safe.”
“I think this theft stands out more than other larger ones,” Shegen said, noting that while it was a tiny hack compared to others that took millions of dollars, the similarities to Aave meant “it seemed top tier safe, but wasn’t and that break of confidence hurts.”
“It’s like you can’t even trust “safe” code.”
The difference between Aave and Agave, according to blockchain security researcher Mudit Gupta, is that “Aave actively checks for re-entrancy before putting tokens on the public network to avoid similar attacks.”
Shegen indicated that she did not hold the Agave developers responsible for the attack’s failure to be prevented.
“Maybe the developer should not have allowed tokens with callbacks to be utilized in the platform, or put more re-entrancy guards,” she said.
“Curve, for example, was not hacked today, because it has extra re-entrancy guards, but I don’t blame Luigy and the Agave team because it’s so unlikely that this would have happened, and slipped past many people.”
Shegen also refused to criticize Gnosis for producing tokens with a callback function that the hacker exploited, claiming that the feature prevents users from losing their cryptocurrency by accident.
“That’s a fantastic feature for bridged tokens; it’s simply a sad and unlucky condition in my perspective.”