Last week there were, unfortunately, multiple hacks on a few different protocols. This article will describe how two hacks on Deus Finance and Agave happened as well as what the impact was. Especially important for people building protocols and anyone fascinated by the DeFi space. Ready? Let’s dive in.
Deus Finance
This hack exposes one of the biggest challenges of crypto protocols: Oracles. Those are external data streams used by smart contracts to make decisions on what to do. It is critical for the data to be correct and reflect the actual real-world data.
For example, on Compound, a lending and borrowing protocol, you need to have a minimum percentage of collateral. If you go under, you get liquidated. You can imagine how important it is that Compound uses the right oracle for feeding the smart contract with the data it needs to make that liquidation decision.
The hacker manipulated the Oracle, feeding the Deus smart contract the wrong data, allowing the attacker to withdraw $3 million worth of $DEI and $ETH. Before we dive deeper into the nitty-gritty, let’s look first at what the protocol does.
Deus Finance is a multi-token DeFi marketplace. This means that other protocols can build on top of Deus to offer products like tokenized stocks, crypto trading platforms, and other DeFi tools.
Deus Finance uses the Muon Oracle for providing off-chain data to the smart contracts. The hacker managed to attack the Oracle and manipulate the price of USDC/DEI pools. This caused a de-peg of the stablecoins from their targeted $1 value. It resulted in a cascade of liquidations and users becoming insolvent.
This allowed the hacker to buy tokens for 80 cents to the Dollar (not exactly that amount, but you get the idea). All in all, a clever hack and a good lesson for Deus and the rest of DeFi to assure highly secure Oracles.
Deus Finance and Muon announced that they were already discussing the possibility of such an attack prior to this exploit. They just didn’t have the time yet to implement the solution. Now they did and the stolen funds have been returned to the victims from the Deus team’s wallets and the Deus DAO. A generous attempt to restore community trust.
Gnosis Chain
Another common challenge in DeFi is known as a reentrancy attack. This allows the user to modify the transaction in the middle. Imagine sending an e-mail and before the e-mail lands at the other inbox, modifying it while it is traveling there.
This might sound trivial at first, but if you consider that some smart contracts are designed to already take an action such as doing a swap or lending assets while the transaction is still in the air it suddenly becomes really critical.
This is exactly what happened at Gnosis Chain. Agave, a fork of Aave, and Hundred Finance, a fork of Compound, got exploited. Let’s start with the latter.
Hundred Finance is a borrowing and lending protocol. You deposit an asset and in return, you can lend another. Sounds simple right? Remember the email that was interrupted midway towards the receiver?
Exactly that happened on Hundred Finance. The hacker deposited $2 million and took out $1.5 million as collateral. However, prior to the collateral transaction being irreversibly received by Hundred Finance, the hacker used the same $2 million to initiate another loan, again taking out $1.5 million. The hacker continued doing that until there were no available assets in the pool.
On Agave, also a borrowing and lending protocol, a similar attack happened, using the same smart contract vulnerability. Compound and Aave review tokens prior to them being listed, to assure such reentrancy attacks cannot occur.
The Agave and Hundred Protocol teams did not do that, which resulted in the loss of these funds. Reentrancy attacks are not new. Even the DAO hack that happened back in 2016 used such an attack.
About Lossless
Lossless is the world’s first DeFi hack mitigation tool for token creators. Apart from Lossless’ known cyber security solutions and renowned professionals, the community also plays a role. With a tangible reward system, community members are also encouraged to explore new ways to detect hacks and fraudulent transactions.
Lossless protocol halts counterfeit transactions through various methods of fraud identification and automatically reverses any stolen tokens back to the original owner. Its solutions to the impending problems of cyber theft within the blockchain space are thorough and applicable within many protocols.
Twitter | Telegram | Discord | Website | Documentation | Github
