Grim Finance is the latest DeFi platform to suffer a massive security breach. Hackers made away with $30 million worth of Fantom Tokens, on Saturday, from Grim Finance – a Smart Yield Optimizer Platform. The hackers had managed to get into the vault contract. The hacker achieved his feat by using ethereum and binance smart chain wallets. This was through Tornado cash.
According to Grim Finance’s tweet, the hack put its deposited funds and vaults at risk. The platform tweeted that they have informed Circle and AnySwap of the hacker’s address. This will help freeze further fund transfers. However, the hacker is believed to have started laundering the tokens through stablecoins. Rugdoc.io, a DeFi watchdog group, stated that Grim Finance should have used a reentrancy guard. Rugdoc.io hopes other projects can learn from Grim Finance’s hack.
The watchdog said companies should establish multi-million dollar projects if they are not able to prevent or tackle hacking. Rugdoc.io advised not to get audits from useless companies. Grim Finance had used the services of Solidity Finance for audit. It tweeted that the hacking was an advanced attack. The attacker used the function titled before Deposit () from the platform’s vault strategy. It achieved this by entering a malicious token contract. Grim Finance pointed out that this can start 5 reentrancy loops from safeTransferForm() – wherein all 5 rentrancies, the _pool value is set to the current balance(). The platform said the rentrancy loop, on the last safeTransferFrom() is broken. This can be moved to the strategy.
The platform urged its clients to withdraw funds immediately. It said the two hours window countdown has started. Grim Finance is powered by the Fantom Opera blockchain.