DeFi protocol Grim Finance lost $30M in 5x reentrancy hack

An apparent security flaw in the Grim Finance protocol allowed the attacker to fake five additional deposits.

The decentralized finance (DeFi) protocol Grim Finance reported $30 million in losses due to a reentrancy exploit of the platform’s deposits.

Grim Finance officially announced on Dec. 18 that an “external attacker” had exploited the DeFi platform, stealing “over $30 million” worth of cryptocurrencies.

According to Grim Finance, the hack was an “advanced attack,” with the attacker exploiting the protocol’s vault contract through five reentrancy loops, which allowed them to fake five additional deposits into a vault while the platform is processing the first deposit.

Grim paused all vaults after the attack to minimize the risk for future funds: “We have paused all of the vaults to prevent any future funds from being placed at risk, please withdraw all of your funds immediately.”

Grim noted that they also notified entities involved in operating major cryptocurrencies like Circle (USDC), DAI, and the cross-chain protocol AnySwap regarding the attacker address to freeze further fund transfers.

Grim Finance positions itself as a “compounding yield optimizer” built on DeFi-focused blockchain protocol, Fantom, allowing users to stake liquidity provider tokens by employing complex vault strategies.

According to the Fantom (FTM) Blockchain Explorer data, Grim Finance Exploiter continued transacting on Dec. 19. One of the addresses associated with the exploit holds $1.2 million in Bitcoin (BTC), $1.7 million in SpookyToken (BOO) alongside $13,700 in FTM tokens.

Some in the crypto community suggested that Grim Finance should hold responsibility for the exploit due to failing to adopt proper reentrancy protection tools. DeFi security platform Rugdoc.io also argued that the protocol gave the user “more privilege than is necessary.”

5) So what was the big mistake of grim finance?
1. No reentrancy guard on a pattern that absolutely needs it (@0xPaladinSec always points this out)
2. Giving the user more privilege than is necessary: There is absolutely no need for the user to be able to choose the deposit token

— Rugdoc.io (@RugDocIO) December 18, 2021

Related: Finance Redefined: Two DeFi hacks top $120M, and $500M Algo Fund launches, Nov. 26–Dec. 3

The rising popularity of DeFi has triggered a number of new challenges for the cryptocurrency industry as hackers were rushing to exploit the flaws of the emerging industry. In early December, DeFi protocol BadgerDAO was reportedly exploited to the tune of $120 million.