‘Unlucky:’ Agave and Hundred Finance DeFi protocols exploited for $11M
Agave and Hundred Finance have paused operations while investigations continue into the exploit.
Hundred Finance:A multi-chain lending protocol using veHND model, it integrates with Chainlink oracles to ensure market health and stability.
A hacker has made of with approximately $11 million in wrapped ETH (wETH), wrapped BTC (wBTC), Chainlink (LINK), USD Coin (USDC), Gnosis (GNO) and wrapped XDAI (wxDAI) after using a “re-entrancy” attack on decentralized finance (DeFi) lending protocol applications Agave and Hundred Finance.
The attack comes within 24 hours of the news breaking of the Deus Finance exploit, where hackers stole over $3 million in Dai (DAI) and Ether (ETH) from the lending contract platform.
Agave token AGVE dropped by 20% following the attack, according to data from CoinGecko. Hundred Finances token HND fell 3.5% after it announced the exploit. However, it’s since recovered to hit a 24-hour high.
“Agave is currently investigating an exploit on the agave finance protocol,” Agave tweeted on Tuesday. “We will update you as soon as we know more.” It noted that contracts have been paused until the situation is resolved.
The Hundred Finance team also tweeted that it was exploited on the Gnosis chain and has paused its markets while pursuing investigations.
According to on-chain analysis, the address associated with the attacker has sent over 2,100 ETH, worth over $5.5 million, to a crypto mixer in an attempt to launder the stolen tokens.
The Agave contract on xDai Chain was attacked due to an untrusted external call. The attacker calls the `liquidateCall` function to liquidate himself without any debt. During the liquidation process, the liquidation contract called the attacker contract. During the process, the attack contract deposited 2728 WETH obtained through the flash loan and minted 2728 aWETH. And use this as collateral to lend out all available assets in the Agave project. After the external call ends, the `liquidateCall` function directly liquidates the 2728 aWETH previously deposited by the attacker and transfers it to the liquidator
Attack transaction: https://blockscout.com/xdai/mainnet/tx/0xa262141abcf7c127b88b4042aee8bf601f4f3372c9471dbd75cb54e76524f18e
ref:cointelegraph
