Another DeFi protocol has become a victim of hacking. According to security researcher Vahe Karapetyan, the estimated loss of GrimFinance totals $40 million and was made with a similar vulnerability as that tied to flash loans and liquidity.
Hack's sequence
First of all, the hacker grabbed a flash loan for two tokens and added liquidity on SpiritSwap, which allowed him or her to mint SPIRIT liquidity rewards and make a deposit call.
Then the sequence of various commands allowed the hacker to gain control over a large amount of flash loaned tokens. With the usage of the Spirit LP token, the hacker was able to make a re-deposit, which allowed him to stack a large number of additional tokens.
Grim Finance(https://t.co/i6qxb1ObEy) got hacked 2 hours ago
— Vahe Karapetyan (@k3mmio) December 18, 2021
Estimated loss: $40mln
One of the attacking transactions: https://t.co/BBWUq72CBN
Attack Analysis:#FTM #ETH #BSC #GrimFinance #GrimExploit
1/4
Currently, the transaction page counts more than 40 transactions made during the hacking sequence. The estimated loss was counted by adding up all the transactions, including Bitcoin and the wrapped Fantom tokens.
The aforementioned funds have not yet been transferred to any exchange or address. With the majority of funds remaining on only one address, centralized exchanges would be able to limit the hacker's wallet similar to the Poly.Network case.
Series of DeFi hacks
Grim.Finance is not the first case of funds being stolen on the market. Previously, the Vee.Finance contract was hacked by an anonymous individual who stole $35 million in various cryptocurrencies.
While both cases could be considered quite significant, they cannot compete with the Poly Network hack that yielded $600 million. The stolen funds were returned, which raised numerous concerns in the DeFi community that the whole situation was a publicity stunt.
Only a month ago, the cross-chain decentralized platform backed by Alameda Research's ChainSwap also became a victim of blockchain pirates, with more than 10 tokens being affected by the hack. Roughly $8 million worth of tokens were stolen from users.
Yuri Molchan
Godfrey Benjamin
