Home » DeFi: More than 11 million dollars stolen from the Hundred Finance and Agave protocols

DeFi: More than 11 million dollars stolen from the Hundred Finance and Agave protocols

by Thomas

Three hacks in the same day for decentralised finance (DeFi). Indeed, after Deus Finance, it is the Agave and Hundred protocols that have suffered a theft equivalent to over 11 million dollars. Investigations are still ongoing and we still don’t know if a refund for the affected users is planned.

Hack on Agave and Hundred Finance

Tough day for decentralised finance (DeFi): Hundred Finance and Agave protocols both suffered an exploit, shortly after the Deus Finance hack earlier in the day.

In total, more than 11 million dollars were stolen from the Gnosis Chain (xDai) by the hacker. The theft was made possible by a function introduced in one of the deployed contracts, which allowed the thief to borrow money before the protocols could even realise it. This is commonly referred to as a “reentrancy attack”, which is unfortunately a fairly common form of exploit.

A flaw directly in one of the tokens

The hacker initially deposited the equivalent of $2 million in collateral via a flash loan, before stealing around $1.5 million from several different tokens and, even before the protocol calculated the loan to value ratio, was able to repeat the action several times. Thus, the amount borrowed was greater than the amount deposited in collateral, preventing the protocol from liquidating its position.

Finally, the individual terminated the exploit via the “liquidationCall” function, allowing him to walk away with the stolen funds after paying back the first initial loan.

According to several analysts, Agave and Hundred Finance, respectively forks of Aave and Compound, have nothing to blame on their internal code. In fact, the flaw is said to come directly from tokens with security problems, which have enabled this “reentrancy” function.

Note that Aave does not have to worry about suffering the same fate, since all tokens are carefully studied before being listed on the platform, in particular to ensure that the reentrancy function is not possible.

What impact for protocols?

Currently, it seems impossible to recover funds. Indeed, the funds have already passed through the mainnet and a rollback is no longer possible, although the smart contracts concerned were quickly paused. Moreover, part of the funds have already passed through the Tornado Cash blender, severely limiting the possibility of tracing the funds.

As investigations are still ongoing, we do not yet know if any reimbursement measures are envisaged by the various teams.

Regarding the tokens related to the two protocols, the Hundred Finance (HND) token was not really impacted, as it was already in a downward trend since the beginning of February.

However, the Agave token, AGVE, has seen a clear break from $69.5 to the current $53.2.

7 day AGVE token price

7 day AGVE token price

Related Posts

Leave a Comment