Decentralised finance (DeFi) is not spared from hacks again this week. An attacker managed to steal 30 million dollars from the Grim Finance protocol, thanks to a relatively well-known re-entrancy attack.
Grim Finance has $30m stolen
Grim Finance (GRIM), a decentralised finance (DeFi) protocol, confirmed the news on its Twitter account. This Saturday, it was the victim of an attack resulting in the loss of $30 million in digital assets. The flaw directly affects the vaults, and all user funds are currently at risk.
The protocol is implemented on the Fantom Opera blockchain, built in the Solidity language and compatible with Ethereum (ETH). Grim Finance claims to be a “compound return optimizer”, meaning it promises to bring a return to your tokens by temporarily locking them into its vaults.
Hello Grim Community,
It is with heavy hearts that we inform you that our platform was exploited today by an external attacker roughly 6 hours ago. The attackers address has been identified with over 30 million dollars worth of theft here https://t.co/qA3iBTSepb
– Grim Finance (@financegrim) December 19, 2021
In its technical documentation, Grim states that it wants to “help users reap more rewards, without hassle”. Apparently not true.
What is this attack?
According to information from Grim Finance, the hacker used a fairly common “reentrancy” attack. This involves initiating a withdrawal request, then making several others simultaneously while the first one is still being executed. In this way, the attacker deceives the protocol and makes a withdrawal exceeding the total amount in the safe.
In such cases, the protocols usually only have security at the initiation and completion of your request. They first check that your safe has sufficient funds to make the withdrawal. Then there is an additional check at the validation of the transaction, mainly to calculate the fees charged.
Assuming that several requests for withdrawals from the entire safe are made simultaneously before any one of them is validated. Then each one will be authorised and you will be able to withdraw more than you actually have. This is the (very simplified) principle of a “reentrancy attack”.
Details of the Attack:
This was an advanced attack. The attacker attacked using the function titled beforeDeposit() from our vault strategy entering a malicious token contract.
– Grim Finance (@financegrim) December 19, 2021
What is the future of Grim Finance?
Reentrancy attacks are relatively common on Ethereum, and are starting to be well understood by the protocols. In fact, Rugdoc.io, a DeFi watchdog group made up of smart contract expert auditors, claims in a series of tweets that Grim Finance is directly to blame. The code should have contained a “reentrancy guard”, i.e. a specific protection against this type of attack.
Let’s hope that all projects can learn from this incident. There is a lot of knowledge that most experienced Solidity developers have at their fingertips. If you haven’t figured it out yet, don’t build multi-million dollar projects. Don’t get audited by companies that everyone knows are useless,” reads one of the tweets.
Grim Finance went through Solidity Finance to audit the security of their protocol’s smart contracts code. According to their report, “ReetrancyGuard is used where necessary to prevent reentrancy attacks”. Wrong again.
A blow to the economics of the Grim Finance ecosystem, the GRIM token was quick to take a hit from the news. The price dropped by more than 80%, from around $0.8 to just $0.15 at its lowest. At the time of writing, it is trading for $0.2.
GRIM token price evolution (Source: CoinGecko)
In the morning on Sunday, some vaults were temporarily open for users to withdraw their funds. However, as of late afternoon, all deposits and withdrawals in Grim Finance vaults remain on hold to avoid any further incidents
