Two more DeFi protocols are hacked for over $11 million

On the same day as the DeFi Deus Finance protocol hacking attack, two other decentralized finance (DeFi) platforms were targeted by attackers.

The Agave and Hundred Finance protocols were exploited in a new “reentry” attack case. The breach resulted in the loss of approximately $11 million. 

The stolen cryptocurrencies were: Wrapped ETH, Wrapped BTC, Chainlink, USDC, Gnosis and Wrapped XDAI in both protocols.

The Hundred Finance team, fork of the Compound protocol, confirmed the attacks on their Twitter account on Tuesday:

Unfortunately Hundred and Agave have both been exploited on Gnosis chain today. Gnosis team is aware, investigation is ongoing.

All the Hundred markets on all chains paused for now.

These are the two transactions:
Hundred https://t.co/mdtViohijn
Agave https://t.co/RKB5MVx0O4

— Hundred Finance (@HundredFinance) March 15, 2022

The Agave team – a fork of the DeFi Aave lending platform – also informed the community via Twitter:

“Agave is currently investigating an exploit in the Agave financial protocol. We will update you as soon as we know more.” tweeted. “Contracts have been put on hold until we figure out how to resolve the situation.”

Hack details

According to Tenderly data, in both cases the hacker exploited a re-entry bug, which is a vulnerability in the programming language.

This flaw allows a malicious entity to breach a protocol’s smart contract to make an external call to an untrusted contract to drain your funds.

In other words, the vulnerability allows the attacker to continue lending cryptocurrencies before applications can calculate debt and prevent further borrowing.

The address associated with the attacker sent over 2,100 ETH, worth over $5.5 million, to a crypto asset mixer to launder the stolen tokens.

As mentioned, the attacks in question mark three exploits practically in a row on the same day. Deus Finance protocol lost more than $3 million worth of Dai (DAI) and Ether (ETH) in the attack.