Defi Protocols Agave and Hundred Finance Suffer Hack of $11M

Key Insights:

• Over $11 million from Agave and Hundred Finance was wiped off in the latest Defi exploit.
• The attacker introduced a reentrancy bug and used a flash loan exploit to siphon funds.
• After the protocols announced the hack, their native tokens saw a dip.

Defi protocols getting hacked have been synonymous with crypto markets as crypto crimes have risen over the years. On Tuesday, another Defi exploit came to light when an attacker siphoned over $11 million from Agave and Hundred Finance.

Flash Loan Reentrancy Attacks

Over $11 million has been wiped off in what appears to be a flash loan reentrancy attack on both Defi protocols on the Gnosis chain. The hacker took the stolen funds in Wrapped ETH, Wrapped BTC, Chainlink, USDC, Gnosis, and Wrapped XDAI.

Both the Defi platforms confirmed the hacks through Twitter posts on Tuesday, stating that their contracts have been paused to avoid further damage. Agave also mentioned that their team is currently investigating the exploit on the Agave finance protocol.

Unfortunately Hundred and Agave have both been exploited on Gnosis chain today. Gnosis team is aware, investigation is ongoing.

All the Hundred markets on all chains paused for now.

These are the two transactions:
Hundred https://t.co/mdtViohijn
Agave https://t.co/RKB5MVx0O4

— Hundred Finance (@HundredFinance) March 15, 2022

The attacker exploited a reentrancy vulnerability in the two Defi protocols.

Reentrancy is a Solidity programming language vulnerability that lets an attacker trick a protocol’s contract into making an external call to an untrusted contract.

After the call happens, the hacker can use this suspicious contract to make repeated calls to the protocol to wash away its funds.

For Agave and Hundred Finance, the hacker introduced a reentrancy bug on both protocols allowing for a flash loan exploit. The same allowed hackers to continue borrowing from the protocols.

Seemingly, the attacker was making repetitive calls to withdraw funds without putting up additional collateral. Notably, the address associated with the attacker has sent over 2,100 ETH, worth over $5.5 million, to a crypto mixer to launder the stolen tokens.

Blockchain security researcher Mudit Gupta thinks that the hack was possible because the official bridged tokens on Gnosis are non-standard and have a hook that calls the token receiver on every transfer. The same enables reentrancy attacks.

Agave and Hundred Finance were exploited today on Gnosis chain (formerly xDAI).

The underlying reason for the hack is that the official bridged tokens on Gnosis are non-standard and have a hook that calls the token receiver on every transfer. This enables reentrancy attacks. pic.twitter.com/8MU8Pi9RQT

— Mudit Gupta (@Mudit__Gupta) March 15, 2022

Defi Attacks Rising

The recent attack marks the second flash loan exploit on the same day after Deus Finance DAO lost $3 million in a similar attack. Agave is a fork of the lending protocol Aave.

Gupta, however, believes that the difference between Aave and Agave is that ‘Aave actively checks for reentrancy before listing tokens on the main net to avoid similar attacks.’

After the attack, both the protocols’ tokens saw a price decline. AGVE, the token of non-custodial money market and lending protocol Agave, lost over 25% value on Tuesday. Likewise, after announcing the exploit, Hundred Finances’ token HND was down 5.8%.

Notably, Cream Finance, another Defi lending protocol with a similar codebase to Compound, suffered a flash loan reentrancy attack last summer. The exploit led to a $19 million loss in crypto from the protocol.