Security incidents are still all too common in the world of decentralized finance. For example, DeFi protocol Grim Finance has lost $30 million in funds due to a security weakness in the deposit contract. An attacker leveraged the exploit five times to maximize their impact, further highlighting the risky nature of this industry.
Grim Finance Gets Exploited
It is not too uncommon to see DeFi protocols face security incidents. While such incidents are totally unacceptable, they keep happening time and time again. Without proper code audits and vetting, security will remain a pressing problem in decentralized finance. Moreover, every incident trips away any legitimacy this industry may have in the eyes of mainstream users. Something needs to change before things spiral out of control further.
One of the newer DeFi platforms, Grim Finance, experienced a reentry attack. More specifically, a culprit leveraged an exploit to affect platform deposits to their advantage. The hacker stole over $30 million in crypto assets through this approach. A preliminary report indicates that Grim Finance’s vault contract contained the loophole, which should have been audited and appropriately vetted before it was unveiled to the public.
While the culprit made their initial deposit, the reentry attack allowed them to trick the system into thinking they made another five deposits. However, funds were only transferred once, as the other five deposits are entirely fake. An attack of this magnitude is often problematic for a compounding yield optimizer. Moreover, it brings negative attention to the Fantom ecosystem, a blockchain that has gained strong DeFi momentum over the past few weeks.
The Grim Finance team paused all vaults to keep user funds safe after the attack. Moreover, users are advised to move their money off the platform entirely for the time being. It is unclear if and when the team will resume the services, although the analysis of this attack is not yet complete. Moreover, the team will try to freeze further funds transfers involving the stolen assets.
Will There Be A Recourse?
When exploits occur in the DeFi world, there are many unanswered questions. The first that comes to mind is whether or not Grim Finance will compensate affected users. A theft of $30 million is problematic, and it remains unclear if the attacker will eventually send the stolen funds back. Moreover, it raises the question of who is responsible for this attack: the Grim Finance team for not taking proper precautions or another entity for this incident.
5) So what was the big mistake of grim finance?
1. No reentrancy guard on a pattern that absolutely needs it (@0xPaladinSec always points this out)
2. Giving the user more privilege than is necessary: There is absolutely no need for the user to be able to choose the deposit token— Rugdoc.io (@RugDocIO) December 18, 2021
Not taking the necessary precautions is all too common in DeFi. No reentrancy guard and giving users more privileges than necessary creates a potent cocktail waiting to explore. Unfortunately, that will not help the affected users in the slightest. Getting back one’s stolen money may prove tricky for affected users.