Grim Finance describes the hack as an “advanced attack,” highlighting how the attacker exploited reentrancy loops in the protocol’s vault contract in order to fake five additional deposits into a vault at the same time the platform was processing the first deposit.
Grim Finance’s funds were stolen by attackers by using a reentrancy exploit. This kind of exploit is quite common on Solidity, the code behind Ethereum and Fantom blockchains. Attackers get control of assets stored on the vulnerable contact by interacting with the network and calling the untrusted contract they exploited. This allows them to manipulate the data on that contact in order to gain control over it. Grim Finance’s vaults, which compound yields, were the target this time.
“We inform you that our platform was exploited today by an external attacker roughly 6 hours ago. The attacker’s address has been identified with over 30 million dollars worth of theft here,” tweeted the developers of the project on Sunday morning. “The exploit was found in the vault contract so all of the vaults and deposited funds are currently at risk,” the company said in a separate tweet.
Hello Grim Community,
— Grim Finance (@financegrim) December 19, 2021
It is with heavy hearts that we inform you that our platform was exploited today by an external attacker roughly 6 hours ago. The attackers address has been identified with over 30 million dollars worth of theft here https://t.co/qA3iBTSepb
The Grim has stopped all vaults following the attack to minimize the risk of future funds being placed at risk: “We have paused all vaults in order to prevent any further funds from being at risk, please withdraw your funds immediately.”
According to Grim, they also informed major cryptocurrency operators like Circle (USDC), DAI, and the cross-chain communication protocol AnySwap regarding the attacker address to prevent further transfers of funds.
As per the data that has been collected from Fantom’s (FTM) Blockchain Explorer as of December 19, Grim Finance Exploiter continues to trade. There is a single address associated with the exploit that holds $ 1.2 million in Bitcoin (BTC), $ 1.7 million in SpookyToken (BOO) and $ 13,700 in FTM tokens.
Due to the failure to implement appropriate reentry protection tools, there has been some suggestion within the crypto community that Grim Finance should be held accountable for the exploit. Rugdoc.io, a security platform from DeFi, argued that the protocol granted the user “more permission than was required”.
5) So what was the big mistake of grim finance?
— Rugdoc.io (@RugDocIO) December 18, 2021
1. No reentrancy guard on a pattern that absolutely needs it (@0xPaladinSec always points this out)
2. Giving the user more privilege than is necessary: There is absolutely no need for the user to be able to choose the deposit token
