{"id":20995,"date":"2022-03-16T07:42:01","date_gmt":"2022-03-16T06:42:01","guid":{"rendered":"https:\/\/coinscreed.com\/staging\/?p=20995"},"modified":"2022-03-16T07:42:14","modified_gmt":"2022-03-16T06:42:14","slug":"agave-and-hundred-finance-defi-protocols-attacked-with-a-loss-of-11-million","status":"publish","type":"post","link":"https:\/\/coinscreed.com\/staging\/agave-and-hundred-finance-defi-protocols-attacked-with-a-loss-of-11-million\/","title":{"rendered":"Agave And Hundred Finance DeFi Protocols Attacked With A Loss Of $11 Million"},"content":{"rendered":"\n
Following the attack, Agave and Hundred Finance have stopped operations to allow proper investigation into the incident.<\/h5>\n\n\n\n
\n
\"\"<\/figure>\n
Agave and Hundred Finance attacked with a loss of $11 million<\/figcaption><\/figure>\n\n\n\n

After performing a “re-entrancy” attack against DeFi lending protocol applications Agave and Hundred Finance, a hacker made off with around $11 million\r\n \r\n \r\n \r\n <\/g>\r\n \r\n \r\n \r\n <\/clipPath>\r\n <\/defs><\/svg><\/span><\/a> in Wrapped ETH, Wrapped BTC, Chainlink, USDC, Gnosis, and Wrapped XDAI.<\/p>\n\n\n\n

The incident comes less than 24 hours after the Deus Finance heist, in which hackers stole more than $3 million in Dai and Ethereum from the loan contract platform.<\/p>\n\n\n\n

According to CoinGecko data, Agave's token, AGVE, plummeted by 20% following the hack. Following the announcement of the exploit, Hundred Finances' token HND plummeted 3.5 percent, although it has since recovered to a 24-hour high.<\/p>\n\n\n\n

“Agave is now researching an exploit on the agave finance protocol,” Agave tweeted<\/use><\/svg><\/span><\/a> at 1:30 p.m. UTC on Tuesday. “We will update you as soon as we learn more.” The contracts have been put on hold until the problem is handled, according to the report.<\/p>\n\n\n\n

The Hundred Finance team also tweeted that it had been exploited on the Gnosis chain and had halted trading while it investigated.<\/p>\n\n\n\n

According to on-chain research, the attacker's address<\/use><\/svg><\/span><\/a> delivered over 2,100 ETH to a crypto mixer, valued over $5.5 million, in an attempt to launder the stolen tokens.<\/p>\n\n\n\n

Shegen (@shegenerates), a Solidity developer and creator of an NFT liquidity protocol app, tweeted that she lost $225,000 in the attack and that her investigations revealed that the attacker used a wETH contract function on Gnosis Chain to continue borrowing crypto before the apps could calculate the debt, which would prevent further borrowing.<\/p>\n\n\n\n

The attacker used this technique repeatedly, borrowing against the same collateral until the funds in the protocols were depleted.<\/p>\n\n\n\n

While the smart contract<\/a> on Agave is virtually the same as the one on Aave, which secures $18.4 billion, Shegen told Cointelegraph that “every security researcher has audited it,” therefore “it's reasonable to trust the contract is safe.”<\/p>\n\n\n\n

“I think this theft stands out more than other larger ones,” Shegen said, noting that while it was a tiny hack compared to others that took millions of dollars, the similarities to Aave meant “it seemed top tier safe, but wasn't and that break of confidence hurts.”<\/p>\n\n\n\n

\u201cIt\u2019s like you can't even trust \u201csafe\u201d code.\u201d<\/p><\/blockquote><\/figure>\n\n\n\n

The difference between Aave and Agave, according to blockchain security researcher Mudit Gupta, is that “Aave actively checks for re-entrancy before putting tokens on the public network to avoid similar attacks.”<\/p>\n\n\n\n

Shegen indicated that she did not hold the Agave developers responsible for the attack's failure to be prevented.<\/p>\n\n\n\n

“Maybe the developer should not have allowed tokens with callbacks to be utilized in the platform, or put more re-entrancy guards,” she said.<\/p>\n\n\n\n

\u201cCurve, for example, was not hacked today, because it has extra re-entrancy guards, but I don't blame Luigy and the Agave team because it's so unlikely that this would have happened, and slipped past many people.\u201d<\/p><\/blockquote><\/figure>\n\n\n\n

Shegen also refused to criticize Gnosis for producing tokens with a callback function that the hacker exploited, claiming that the feature prevents users from losing their cryptocurrency by accident.<\/p>\n\n\n\n

“That's a fantastic feature for bridged tokens; it's simply a sad and unlucky condition in my perspective.”<\/p>\n","protected":false},"excerpt":{"rendered":"

Following the attack, Agave and Hundred Finance have stopped operations to allow proper investigation into the incident. After performing a “re-entrancy” attack against DeFi lending protocol applications Agave and Hundred Finance, a hacker made off with around $11 million in Wrapped ETH, Wrapped BTC, Chainlink, USDC, Gnosis, and Wrapped XDAI. The incident comes less than […]<\/p>\n","protected":false},"author":33,"featured_media":20997,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[21],"tags":[8151,8150,8152],"class_list":["post-20995","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","tag-agave","tag-hacking-2","tag-hundred-finance"],"jetpack_featured_media_url":"https:\/\/coinscreed.com\/staging\/wp-content\/uploads\/2022\/03\/white_hat_hacker-1.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/posts\/20995","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/users\/33"}],"replies":[{"embeddable":true,"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/comments?post=20995"}],"version-history":[{"count":0,"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/posts\/20995\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/media\/20997"}],"wp:attachment":[{"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/media?parent=20995"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/categories?post=20995"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/tags?post=20995"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}