- Grim Finance was exploited by an attacker and had $30 million stolen in what the project described as “an advanced attack.”
- In the three weeks in December, hackers have stolen $600 million from cryptocurrency platforms including AscendEx, Vulcan Forged, BitMart and now Grim Finance.
Grim Finance is living up to its name after being exploited in “an advanced attack” in which the criminals stole $30 million worth of tokens. The platform, which is built on the Fantom blockchain, announced that the attacker had leveraged a malicious token contract and revealed that since the exploit was found in the vault contract, “all of the vaults and deposited funds are currently at risk.”
Grim is a compounding yield optimizer, which means that it derives extra value from the liquidity provider (LP) tokens that DeFi investors receive from DEXs if they lock them up with Grim. And as one of the affected users revealed, it’s quite an attractive option as its annual percentage yield (APY) is much higher than its peers. It’s built on Opera, a reportedly secure and fast environment for building decentralized apps on the Fantom blockchain.
A day ago, Grim revealed on Twitter that it had been the victim of an attack.
The attacker entered a malicious token contract that started 5 reentrancy loops. Reentrancy is an attack in which an attacker fakes additional deposits into a vault while the platform is still processing the first. In Grim’s case, the attacker did this five-fold.
An hour before exploiting the loophole, the attacker funded his Ethereum and Binance Smart Chain wallets using Tornado Cash, an Ethereum coin mixer that allows users to break the on-chain link between sender and receiver. This makes it almost impossible to trace the source of the funds.
Following the attack, Grim paused all the vaults to prevent any future funds from being placed at risk. It also urged all its users to immediately withdraw all their funds.
The exploit was found in the vault contract so all of the vaults and deposited funds are currently at risk. We have contacted and notified Circle (USDC), DAI, and AnySwap regarding the attacker’s address to potentially freeze any further fund transfers.
“Grim Finance is to blame for the attack”
Cyber security experts are mulling over the latest DeFi exploit and how it could have been avoided. According to RugDoc, a DeFi security organization, Grim Finance is largely to blame for the exploit. It failed to put in place a reentrancy guard which was ultimately what the hackers exploited.
Hopefully, all projects can draw lessons from this incident that there is much knowledge most experienced solidity devs have at hand. If you haven’t acquired this yet, don’t build multi-million dollar projects. Don’t get audits from companies which everyone knows are useless.
In addition, RugDoc believes that DeFi platforms shouldn’t users choose the token to deposit.
In the first three weeks of December, hackers have stolen over $600 million from cryptocurrency platforms, TRM Labs reports. Some of the victims include NFT marketplace Vulcan Forged for $135 million, Singaporean exchange AscendEx for $77.7 million and Cayman Islands-domiciled BitMart exchange which lost $200 million.