$30 Million Stolen In A Reentry Attack To DeFi Protocol Grim Finance Vault
A decentralized finance (DeFi) protocol Grim Finance was hacked for $30 million worth of tokens on Saturday. Grim Finance tweeted, “The exploit was found in the vault contract so all of the vaults and deposited funds are currently at risk.”
Grim is so-called a “compounding yield optimizer,” which means that it promises extra value from liquidity provider tokens that users receive from decentralized exchanges if they lock them up in a Grim vault. In their words:
“Helping users reap more rewards, hassle-free.”
Based on Fantom Opera blockchain, Grim is a smart contract-enabled platform that is built using the Solidity language and is compatible with Ethereum. The hacker used a reentrancy attack, a hacking technique that allows faking additional deposits into a vault while an initial transaction is still going, and thereby fooling the system.
Hello Grim Community,
It is with heavy hearts that we inform you that our platform was exploited today by an external attacker roughly 6 hours ago. The attackers address has been identified with over 30 million dollars worth of theft here https://t.co/qA3iBTSepb
Grim had contacted and notified Circle (USDC), DAI, and AnySwap regarding the attacker address to potentially freeze any further fund transfers, but the attacker has already been busy laundering the ill-gotten funds through stablecoin transfers.
According to Rugdoc.io, a DeFi watchdog group of smart contract auditors and investors, Grim Finance should have known better and used a reentrancy guard.
“Hopefully all projects can draw lessons from this incident that there is much knowledge most experienced solidity devs have at hand. If you haven’t acquired this yet, don’t build multi-million dollar projects. Don’t get audits from companies which everyone knows are useless.”
Grim Finance tweeted that the Tshare Masonry Vault is open for fund withdrawal.
