This week again, decentralized finance (DeFi) is not spared by hacks. An attacker managed to steal $ 30 million from the Grim Finance protocol, thanks to a relatively well-known “re-entrancy” attack.
Grim Finance gets stolen $ 30 million
Grim Finance (GRIM), a decentralized finance (DeFi) protocol , confirmed the information on its Twitter account . This Saturday, he was the victim of an attack resulting in the loss of $ 30 million in digital assets. The flaw directly affecting the “vaults” (ie safe) of all user funds is currently at risk .
The protocol is implemented on the Fantom Opera blockchain , built in Solidity language and compatible with Ethereum (ETH). Grim Finance wants to be “optimizer of compound returns” , that is to say that it promises to bring a return to your tokens by temporarily blocking them in its vaults.
In his technical documentation , Grim says he wants to “help users reap more rewards, without hassle . ” Failed, it would seem.
What does this attack consist of?
According to information from Grim Finance, the hacker would have used a fairly common “reentrancy” type attack. This involves initiating a request to withdraw funds, then making several others simultaneously while the first is in progress . Thus, the attacker deceives the protocol and makes a withdrawal exceeding the total amount of the safe.
In such cases, protocols usually only have security when initiating and finalizing your request. They first check that your safe has enough money to make the withdrawal . Then, an additional verification is ensured at the validation of the transaction, mainly to calculate the affixed fees.
Assuming that we manage to make several requests to withdraw the entire safe simultaneously before only one of them is validated. Then, each will be authorized and we will therefore be able to withdraw more than what we really have. This is the (very simplified) principle of a “reentrancy attack”.
What is the future of Grim Finance?
“Reentrancy” type attacks are relatively common on Ethereum, and are starting to be well understood and understood by protocols. Moreover, Rugdoc.io, a DeFi watchdog group made up of expert smart contract auditors, claims in a series of tweets that the fault lies directly with Grim Finance . The code should have contained a “reentrancy guard”, namely specific protection against this type of attack.
“Hopefully all projects can learn from this incident. There is a lot of knowledge that most experienced Solidity developers have right at their fingertips. If you haven’t figured it out yet, don’t build multi-million dollar projects. Don’t get audited by companies that everyone knows are useless, ”one of the tweets read.
Grim Finance went through the company Solidity Finance to audit the security of the code of the smart-contracts of its protocol. According to their report, “ReetrancyGuard is used where it is needed to prevent reentrancy-type attacks.” Failed, once again.
A blow to the economy of the Grim Finance ecosystem, the GRIM token was quick to acknowledge the blow of the news . The price has fallen more than 80% , from around $ 0.8 to just $ 0.15 at its low. As of this writing, it is trading for $ 0.2.
Evolution of the GRIM token – Source: CoinGecko
In the morning this Sunday, some vaults were temporarily opened for users to withdraw their funds. However, since the end of the afternoon, all deposits and withdrawals in the vaults of Grim Finance remain on pause to avoid any further incidents.
