DeFi protocol Grim Finance said about $30 million was stolen this weekend by hackers exploiting a vulnerability in their platform.
In a statement posted to Twitter on Saturday, Grim Finance said “an advanced attack” was taking place and initially paused all vaults to prevent more attacks.
“The exploit was found in the vault contract so all of the vaults and deposited funds are currently at risk,” the company explained on Saturday night. “We have contacted and notified Circle (USDC), DAI, and AnySwap regarding the attacker address to potentially freeze any further fund transfers.”
Solidity Finance, a DeFi auditing firm, released an apology for missing the vulnerability that led to the incident. They audited Grim Finance just four months ago.
The company said the cause of the issue was “the ability of users to input arbitrary addresses and have them called within the depositFor function.”
“Via reentrancy, the issue allowed users to falsely increase their shares in Grim’s vaults and subsequently withdraw more than they had deposited,” Solidity Finance wrote on their website before linking to a longer Twitter thread where they said a new analyst missed the vulnerability while their CTO was on vacation.
“When conducting the Grim Finance audit ~4 months ago, our firm was experiencing rapid growth and hiring. This audit was performed by an analyst who was new to the team and while our CTO was on vacation; and unfortunately this issue was not caught in our peer review process.”
The thread goes on to explain the technical details of the attack and said the code that was exploited was present in multiple vaults, resulting in a loss of funds across the platform’s vaults.
Some DeFi security experts noted that having a before-after pattern without reentrancy guard “is a big no-no.” RugDoc.io explained that a “before-after pattern is a section of code that checks the vault balance before and after your deposit to figure out how much was actually received by the vault.”
“This helps with transfer-tax tokens where the amount sent does not equal the amount received. However, what happens if we can do a second deposit while the first deposit is still ongoing?” RugDoc.io wrote, adding that Grim Finance did not have a “reentrancy guard on a pattern that absolutely needs it” and gave users more privilege than is necessary.
Solidity Finance said they regularly recommend fixing the issue but it “slipped through” their process while they were “overwhelmed and onboarding new analysts in August.”
They have scanned all of their earlier audits and confirmed that Grim Finance had the only codebase where the vulnerability was present. Of the 900 audits they’ve done, Grim becomes the second exploit that they have missed, according to their records.
The attack on Grim Finance adds to a whirlwind year for DeFi hacks. Last week, more than $77 million was stolen from AscendEX and days before that, blockchain gaming company Vulcan Forged said around $140 million had been stolen from their users.
Just last month, cybercriminals stole about $120 million from DeFi platform Badger. Other attacks in 2021 include thefts of more than $600 million from Poly in August and $34 million from Cream Finance in September. In May, about $200 million was stolen from the PancakeBunny platform.