How An Attacker Siphoned Over $11m From DeFi protocols, Agave And Hundred Finance

2022-05-03, 02:40


Decentralized finance (DeFi) development on the blockchain network helps to ensure secure and faster transactions.

While the DeFi platforms have numerous advantages, they are prone to attack.

When these attacks occur, they lead to the loss of massive amounts and disruption of significant transactions.

One of the recent attacks on the DeFi protocol led to the loss of 11 million dollars.

The attack was carried out on the Agave and Hundred Finance blockchain.

The hackers launched a re-entrancy form of attack.

The re-entrancy hacking enables a hacker to trick a protocol’s contract to make a direct but external call to an untrusted contract.

Being Decentralized blockchain protocols, both Agave and Hundred Finance could not prevent tokens with callbacks, making the attack a success.


The Decentralized protocols continue to leverage the blockchain network to ensure faster transactions and verification.

Asides from that, the Decentralized Finance platforms continue to be the best option for investment, international transactions, and means of exchange.

The DeFi protocols and all blockchain apps (in general) are prone to attack.

Due to the vast investment and enormous transactions across several locations, these apps are prone to attacks and unauthorized access.

With all efforts by blockchain developers to constantly update security architecture and ensure thorough verification of transactions, hackers still do have their way.

One recent attack occurred when the hackers siphoned over $11 million from Agave and Hundred Finance.

This article shall give more precise details of the attack and how it affected the blockchain platform.

Before moving to how the attack was launched, let's define Agave and Hundred Finance.


What Is Agave?


Agave is a big brand with several subsidiaries, and one of them is the blockchain platform and cryptocurrency.

The token of Agave in the crypto market is AgaveCoin (AGVE).

Agave is a blockchain run by the Decentralized Autonomous Organization (DAO) protocol.

This blockchain platform rewards depositors with passive income. Depositors can use their deposits as debt collateral and lend digital assets.

The coin is a 100% utility token that will allow industry players and stakeholders to participate and invest.

AgaveCoin is a Decentralized finance protocol that will enable trade, payments, and agricultural products transactions.

As an AGVE token holder, you have the voting power to drive strategy and make decisions.

Agave is built on the Gnosis chain, the Ethereum layer 2 ( EVM side chain).

The AGVE is a unique token because it allows for the purchase and transaction of Agricultural services in all the production chains of the Agave industry.

Agave is a non-custodial money and lending protocol that leverages the blockchain network.


What Is Hundred Finance?


Hundred Finance is another Decentralized Finance (DeFi) app on the blockchain.

Hundred Finance is a Decentralized Application (dApp) that allows you to lend and borrow cryptocurrencies.

This blockchain app has its cryptocurrency token for transactions and exchange, the HND token.

The interest rate on HND is calculated and expressed per token as an Annual Percentage Yield (APY).

Hundred Finance is a multi-chain protocol that integrates with Chain Link oracles. The information ensures market health and stability with specialization in serving long-tail assets.

Hundred Finance is the successor to Percent Finance.

Since its launch into blockchain technology, Hundred Finance has collaborated with Chainlink Oracle, Beethoven, Immunefi, Spookywap, and others.


Having familiarized ourselves with AGVE and HND as blockchain apps and crypto tokens, let's dive into the attack that saw the loss of $11million on both blockchain platforms.


The Agave And Hundred Finance Attack


The cryptocurrency space was thrown into a frenzy when Agave and Hundred Finance Admins tweeted that their respective wallets had been exploited.

It was reported that the hacker made off with about $11 million in Wrapped ETH (wETH), Wrapped BTC (wBTC), chain link (LINK), USD Coin (USDC), Gnosis (GNO), and wrapped XDAI ( wxDAI).

The hack was a reentrancy attack on both Agave and Hundred Finance.

The re-entrancy attack is solidity programming language weakness. This vulnerability enables a hacker to trick a protocol’s contract to make a direct but external call to an untrusted contract.

The (actual) call is made once; after that, the hacker will use the suspicious contract to make repeated calls of a similar pattern and siphon away the protocol funds.

In the case of an attack on Agave and Hundred Finance, the investigation showed that the hacker launched a reentrancy bug on both blockchain apps.

The bug immediately allowed for a flash loan exploit. Since the pattern is the same, the bug allowed the hackers to keep borrowing from the protocols.

Also, the hacker was making continuous calls for fund withdrawal without putting up additional collateral. The investigation eventually showed that the hacker's address had sent over 2,100 ETH totalling about $5.5 million to a crypto launderer.

Experts believed that several reasons could have caused the attack. Some of them include?


The Reasons For The Success Of The Attack


The reasons for the attack's success were relatively simple and easy to detect. They include;

Agave developers made it possible for tokens with callbacks to be used for transactions on its platform.
The official bridged coins on Gnosis are not standard. These tokens have a hook that notifies the token receiver on every transfer, and hackers can always receive this notification and immediately swing into action.


Conclusion


The attack on Agave and Hundred Finance is not the first and won't be the last.

Shortly before the Agave and Hundred finance Reentrancy attack, Cream Finance, a similar DeFi app, witnessed a flashback loan re-entrancy attack. The attack on Cream Finance led to the siphon of about $19million.

The impact of the attack is always enormous. When Agave announced the attack, its market price dropped by 25%, while Hundred Finance dropped by 5.8%.

While the events are unfortunate, it is expedient for the developers to upgrade their re-entrancy guard. The developers should change the governance protocol to prevent tokens with callbacks for transactions.



Author: Valentin A., Gate.io Researcher
This article represents only the researcher's views and does not constitute any investment suggestions.
Gate.io reserves all rights to this article. Reposting of the article will be permitted provided Gate.io is referenced. In all cases, legal action will be taken due to copyright infringement.
Share
gate logo
Credit Ranking
Complete Gate Post tasks to upgrade your rank