According to Grim Finance, it was an “advanced attack” in which hackers exploited a flaw in the vault contract.
Grim Finance, a DeFi protocol, and Smart Yield Optimizer Platform has announced that the platform was hacked Saturday 18th in an “advanced attack” that allowed hackers to steal over $30 million worth of Fantom Tokens.
In a series of tweets, Grim Finance explained that the attack was possible because unknown attackers exploited a flaw in its vault contract. Resultantly, the platform has paused all the vaults to avoid further damage as deposited funds are currently at risk.
“The attacker attacked using the function titled beforeDeposit() from our vault strategy entering a malicious token contract,” the Grim team said.
The malicious token contract can start 5 reentrancy loops from safeTransferFrom(), where in all 5 rentrancies, the _pool value is set to the current balance(). On the last safeTransferFrom(), the rentrancy loop is broken, and some want can be transferred to the strategy,
— Grim Finance (@financegrim) December 19, 2021
Although, all vaults have been paused Grim Finance is allowing users to withdraw their funds by unpausing some.
Additionally, the Grim team has contacted Circle (USDC), DAI, and AnySwap regarding the attacker’s address to potentially freeze any further fund transfers.
Grim Finance is yet another addition to the list of crypto platforms that have suffered massive security breaches. On November 8th, hackers managed to steal $55 million worth of cryptocurrency from DeFi lender bZx through a phishing attack.
In another attack, on December 17th, the Ascendex cryptocurrency exchange announced it was hacked and attackers stole a whopping $77 million by exploiting a vulnerability to access its hot wallets.