Not one, but two decentralized finance (DeFi) protocols – Agave and Hundred Finance – were exploited in a fresh case of a “re-entrancy” attack.
The hacker reportedly managed to siphon funds worth $11 million in Wrapped ETH, Wrapped BTC, Chainlink, USDC, Gnosis, and Wrapped XDAI on both DeFi protocols on the Gnosis chain using a flash loan exploit.
Agave is a fork of DeFi lending platform Aave, while the multi-chain lending project, Hundred Finance, is a fork of Compound.
The attack worked by exploiting a wETH contract function on Gnosis Chain, allowing the attacker to continue borrowing crypto before the apps could calculate the debt preventing further borrowing.
Blockchain security researcher Mudit Gupta says the difference between Aave and Agave is that “Aave actively checks for re-entrancy before listing tokens on the mainnet to avoid similar attacks.”
The attacker has begun to launder the funds via Tornado Cash
Crypto derivatives platform Deus Finance was exploited for over $3 million worth of cryptocurrencies
The attack on Deus Finance occurred on its Fantom network iteration. Deus Finance allows developers to build and issue financial instruments, such as derivatives or options, on its platform.
Hackers used flash loans to manipulate the contract that determined the price of DEI – one of the two tokens issued by Deus Finance – to falsely show that DEI had collapsed. This led to a loss of all funds of the users supplying liquidity to the DEI/USDC pool.
Blockchain data shows that over 3 million USDC tokens were stolen from Deus which was exchanged for 200,000 DAI and 1,101.8 ether (ETH) via decentralized exchange Multichain. The funds were then withdrawn to the privacy swap tool Tornado, which masks the addresses of the hacker and makes it difficult to tie stolen funds to their perpetrator.
The metaverse project Paraluni was the victim of a $1.7 million hack. Paraluni is a Metaverse (DeFi) project on the BSC chain where users can provide liquidity to earn yield.
The depositByAddLiquidity function within the MasterChef contract does not check whether the LP token constructed by the incoming token array parameter _tokens corresponds to the specified _pid parameter and is consistent with the LP token (USDT-BUSD LP) in the pool.
There is also no reentrancy restriction when adding liquidity calculations, leading to the use of malicious contracts to conduct reentrancy attacks.
The founder of the Wasabi Wallet called the decision a major setback for Bitcoin’s fungibility, while one of the developers advocated for the use of other privacy coordinators over zkSNACKs.
CoinJoin, a popular Bitcoin (BTC) mixing tool, will block transactions associated or flagged as illegal.