Grim Finance Exploited For $30m In Reentrancy Attack

The past weekend has been a nightmare for Grim Finance, a compounding yield optimization protocol built on Fantom Opera's permissionless blockchain.

The decentralized finance project alerted its users regarding an attack to its platform. According to the Grim Finance team, some $30 million worth of crypto assets have been extracted from its bursary, which were then promptly tracked to a specific address from an external threat actor.

Hello Grim Community,It is with heavy hearts that we inform you that our platform was exploited today by an external attacker roughly 6 hours ago. The attackers address has been identified with over 30 million dollars worth of theft here https://t.co/qA3iBTSepb

— Grim Finance (@financegrim) December 19, 2021

Grim Finance's team further disclosed that the attacker managed to get seize control of one of its vault contracts, which then allowed the threat actor to extract Fantom ($FTM) tokens as well as a slew of other tokens stored in the vaults.

As stated in Grim Finance's community security disclosure, the vaults have thereafter been paused and sealed, with its users advised to withdraw their respective funds from the platform.

"We have paused all of the vaults to prevent any future funds from being placed at risk, please withdraw all of your funds IMMEDIATELY." stated Grim Finance.

Grim Finance's project operates as a "compounding yield optimizer," which works as an additional layer for liquidity provision, extending the capabilities of decentralized exchanges once users lock up their tokens to the Grim yielding vault. As a protocol built on top of the Fantom Opera blockchain, Grim Finance has access to smart contract-enabled functionalities, as well as compatibility with the Ethereum Virtual Machine (EVM) for its automated market making (AMM) functions.

“We have contacted and notified Circle (USDC), DAI, and AnySwap regarding the attacker address to potentially freeze any further fund transfers.” stated Grim Finance.

According to reports from DeFi security and auditing group Rugdoc.io, the threat actor in question used a "reentrancy" attack vector which would have been easily avoided by placing security measures such as a reentrancy guard. This attack vectory exploits a vault's contract by issuing fake additional deposits while an initial transaction is still underway, effectively bypassing a protocol's address identification by flipping authentication.

"Hopefully all projects can draw lessons from this incident that there is much knowledge most experienced solidity devs have at hand. If you haven't acquired this yet, don't build multi-million dollar projects. Don't get audits from companies which everyone knows are useless." Rugdoc.io stated.

According to Grim Finance's latest update on the matter, they have reopened the "Tshare Masonry Vault" to allow users to withdraw before the protocol itself becomes permanently closed.

During the attack, the protocol's native $GRIM token fell by 80%, going from roughly $0.79 to $0.15 in a matter of hours. The protocol has since recovered by a slim margin, but it is still down by 89% from its most recent ATH of $1.84 which it reached sometime in late October.

Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.