Main navigation

GYM Network Protocol Hacked, $2.1 Million Stolen: Here's How

Wed, 06/08/2022 - 15:23
article image
Vladislav Sopov
An error in a single function of a liquidity pool codebase resulted in seven-digit losses
GYM Network Protocol Hacked, $2.1 Million Stolen: Here's How
Cover image via
Read U.TODAY on
Google News

GYM Network is a cross-protocol DeFi aggregator designed to optimize the process of yield farming on BNB Chain and make it straightworward for newbies.

GYM Network allowed to increase balance without actually depositing money

As per the statement shared by PeckShield cybersecurity provider, GYM Network had one of its elements, GymSinglePool, attacked today, June 8, 2022.

The architecture of the pool lacked a caller verification instrument: malefactors were able to increase their balances without sending money to them.

This design flaw was exploited with more than $2.1 million stolen. The attackers immediately started moving their loot to Tornado Cash transaction obfuscating service.

GYM, a core native utility and governance token of the protocol, immediately lost over 50% of its price, plunging from $0.00099 to $0.00048.

More protocols at risk?

Ironically, the protocol was audited twice by PeckShield itself and by CertiK. Also, it leverages Alpaca Finance's codebase which was audited 20 times.

Blockchain researcher Kyrian Alex (Kyrian.sol) highlighted that GYM Network is far from being the only protocol that contains a similar design flaw:

This isn't the first protocol being hacked because of "lack of caller verification". Seem I'll have to check out a lot of these clone protocols looking for this same vulnerability.

Team representatives confirmed the fact of attack. GYM Network's community coordinator explained that the vulnerability was disclosed in a new "Claim and Reinvest" instrument deployed two days ago.

By press time, the source of the bug has been identified and fixed, the team adds.

article image
About the author

Blockchain Analyst & Writer with scientific background. 6+ years in IT-analytics, 3+ years in blockchain.

Worked in independent analysis as well as in start-ups (, Monoreto, Attic Lab etc.)