{"id":383546,"date":"2021-12-20T11:58:00","date_gmt":"2021-12-20T08:58:00","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/defi-protocol-grim-finance-lost-30m-in-5x-reentrancy-hack\/"},"modified":"2021-12-20T11:58:00","modified_gmt":"2021-12-20T08:58:00","slug":"defi-protocol-grim-finance-lost-30m-in-5x-reentrancy-hack","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/defi-protocol-grim-finance-lost-30m-in-5x-reentrancy-hack\/","title":{"rendered":"# DeFi protocol Grim Finance lost $30M in 5x reentrancy hack"},"content":{"rendered":"

# DeFi protocol Grim Finance lost $30M in 5x reentrancy hack <\/strong>”
\n<\/p>\n

The decentralized finance (DeFi) protocol Grim Finance reported $30 million in losses due to a reentrancy exploit of the platform\u2019s deposits.<\/p>\n

Grim Finance officially announced<\/a>\u00a0on Dec. 18 that an \u201cexternal attacker\u201d had exploited the DeFi platform, stealing \u201cover $30 million\u201d worth of cryptocurrencies.<\/p>\n

According to Grim Finance, the hack was an \u201cadvanced attack,\u201d with the attacker exploiting the protocol\u2019s vault contract through five reentrancy loops, which allowed them to fake five additional deposits into a vault while the platform is processing the first deposit.<\/p>\n

Grim paused all vaults after the attack to minimize the risk for future funds: \u201cWe have paused all of the vaults to prevent any future funds from being placed at risk, please withdraw all of your funds immedia<\/a>tely.\u201d<\/p>\n

Grim noted that they also notified entities involved in operating major cryptocurrencies like Circle (USDC), DAI, and the cross-chain protocol AnySwap regarding the attacker address to freeze further fund transfers.<\/p>\n

Grim Finance positions itself as a \u201ccompounding yield optimizer\u201d built on DeFi-focused blockchain protocol, Fantom, allowing users to stake liquidity provider tokens by employing complex vault strategies.<\/p>\n

According to the Fantom (FTM) Blockchain Explorer data, Grim Finance Exploiter continued<\/a> transacting on Dec. 19. One of the addresses associated with the exploit holds $1.2 million in Bitcoin (BTC), $1.7 million in SpookyToken (BOO) alongside $13,700 in FTM tokens.<\/p>\n

Some in the crypto community suggested that Grim Finance should hold responsibility for the exploit due to failing to adopt proper reentrancy protection tools. DeFi security platform Rugdoc.io also argued that the protocol gave the user \u201cmore privilege than is necessary.\u201d <\/p>\n

\n

5) So what was the big mistake of grim finance?
1. No reentrancy guard on a pattern that absolutely needs it (@0xPaladinSec<\/a> always points this out)
2. Giving the user more privilege than is necessary: There is absolutely no need for the user to be able to choose the deposit token<\/p>\n

\u2014 Rugdoc.io (@RugDocIO) December 18, 2021<\/a><\/p><\/blockquote>\n