Decentralized finance (DeFi) projects have been suffering from major hacks this year, and the total amount lost through these hacks is only increasing even as the year ends. The latest victim of these hacks is Grim Finance.
Grim Finance is a DeFi platform that describes itself as a “compounding yield optimizer.” The platform’s objective is to deliver extra earnings from liquidity provider tokens. Users earn rewards if they lock their tokens from decentralized exchanges (DEXs) in a Grim vault.
Grim Finance hacked for $30M
Grim Finance lost $30 million following this hack. The platform has already confirmed that it suffered from an “advanced attack.” The protocol stated that “the exploit was found in the vault contract, so all of the vaults and deposited funds are currently at risk.”
Grim Finance is a protocol developed on top of the Fantom Opera blockchain. It has been developed using the Solidity language, and it is compatible with the Ethereum blockchain. The threat actor behind the attack used a reentrancy attack, enabling people to additional fake deposits into a vault. They tricked the protocol by making these additional deposits when the transaction was still ongoing.
“We have contacted and notified Circle (USDC), DAI and AnySwap regarding the attacker address to potentially freeze any further fund transfers,” the protocol noted in a tweet. However, despite the platform’s efforts to trace these funds, the threat actor has already moved them and hid the transactions using stablecoin transfers.
The platform has already shared an audit of its vault contracts. The data shows that all deposits made into vaults on Grim Finance have been halted to ensure more funds are not stolen.
Attack could have been avoided
Cybersecurity researchers have talked about this attack from Grim Finance, noting ways that it could have been avoided. RugDoc, a security platform operating in the DeFi sector, stated that Grim Finance was blamed for the $30M loss.
The protocol failed to install a reentrancy guard, and the hackers used this to exploit it. “Hopefully, all projects can draw a lesson from this incident that there is much knowledge most experienced solidity devs have at hand. If you haven’t acquired this yet, don’t build multi-million dollar projects. Don’t get audits from companies which everyone knows are useless.”
The other weakness that RugDoc noted was that DeFi platforms should not choose the tokens to deposit on a protocol.
The Grim Finance exploit comes amidst an increase in DeFi related hacks. In December alone, threat actors have made away with more than $600 million from different cryptocurrency protocols.
Some of the previously exploited protocols include Vulcan, an NFT marketplace, AscendEx, an exchange based in Singapore and BitMart exchange, which lost $200 million from a DeFi-related exploit.
Your capital is at risk.