{"id":416812,"date":"2022-03-16T08:39:51","date_gmt":"2022-03-16T05:39:51","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/unlucky-agave-and-hundred-finance-defi-protocols-exploited-for-11m\/"},"modified":"2022-03-16T08:39:51","modified_gmt":"2022-03-16T05:39:51","slug":"unlucky-agave-and-hundred-finance-defi-protocols-exploited-for-11m","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/unlucky-agave-and-hundred-finance-defi-protocols-exploited-for-11m\/","title":{"rendered":"# \u2018Unlucky\u2019: Agave and Hundred Finance DeFi protocols exploited for $11M"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a40727656bb5\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a40727656bb5\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/unlucky-agave-and-hundred-finance-defi-protocols-exploited-for-11m\/#%E2%80%9D_%E2%80%98Unlucky_Agave_and_Hundred_Finance_DeFi_protocols_exploited_for_11M_%E2%80%9C\" >&#8221; \u2018Unlucky\u2019: Agave and Hundred Finance DeFi protocols exploited for $11M &#8220;<\/a><\/li><\/ul><\/nav><\/div>\n<h1><span class=\"ez-toc-section\" id=\"%E2%80%9D_%E2%80%98Unlucky_Agave_and_Hundred_Finance_DeFi_protocols_exploited_for_11M_%E2%80%9C\"><\/span>&#8221; \u2018Unlucky\u2019: Agave and Hundred Finance DeFi protocols exploited for $11M &#8220;<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<p><img decoding=\"async\" src=\"https:\/\/images.cointelegraph.com\/images\/840_aHR0cHM6Ly9zMy5jb2ludGVsZWdyYXBoLmNvbS91cGxvYWRzLzIwMjItMDMvMDUwMjIxNzgtMzkxMy00N2EwLTgzYWQtMWE0NTg5NWMxZGFkLmpwZw==.jpg\" \/><\/p>\n<div class=\"post-content\" data-v-128018ef>A hacker has made off with <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>roximately <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/blockscout.com\/xdai\/mainnet\/block\/21120284\/transactions\">$11 million<\/a> in Wrapped ETH, Wrapped BTC, Chainlink, USDC, Gnosis, and Wrapped XDAI after using a \u201cre-entrancy\u201d attack on DeFi lending protocol applications Agave and Hundred Finance.<\/p>\n<p>The attack comes within 24 hours of <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/news\/\" data-internallinksmanager029f6b8e52c=\"2\" title=\"News\" target=\"_blank\" rel=\"noopener\">news<\/a> breaking of the Deus Finance exploit, where hackers stole over $3 million in Dai and Ethereum from the lending contract platform.<\/p>\n<p>Agave\u2019s token, AGVE, dropped by 20 per cent following the attack, according to data from CoinGecko. Hundred Finances\u2019 token HND fell 3.5 per cent after it announced the exploit, however it\u2019s since recovered to hit a 24-hour-high.<\/p>\n<p>\u201cAgave is currently investigating an exploit on the agave finance protocol\u201d, Agave <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/Agave_lending\/status\/1503725275917565954\">tweeted<\/a> on Tuesday 15th at 1:30pm UTC, \u201cWe will update you as soon as we know more.\u201d It noted that the contracts have been paused until the situation is resolved.<\/p>\n<p>The Hundred Finance team also <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/HundredFinance\/status\/1503754916300476420\">tweeted<\/a> it was exploited on Gnosis chain, and has paused its markets whilst it pursued investigations.<\/p>\n<p>According to on-chain analysis, the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/etherscan.io\/address\/0x0a16a85be44627c10cee75db06b169c7bc76de2c\">address<\/a> associated with the attacker has sent over 2,100 ETH, worth over $5.5 million, to a crypto mixer in an attempt to launder the stolen tokens.<\/p>\n<p><strong><em>Related:<\/em><\/strong><strong><em>Deus Finance exploit: Hackers get away with $3M worth of DAI and Ether<\/em><\/strong><\/p>\n<p>Solidity developer and creator of an NFT liquidity protocol app, Shegen (@shegenerates) tweeted that she lost $225,000 in the exploit, and that her investigations revealed the attack worked by exploiting a wETH contract function on Gnosis Chain that allowed the attacker to continue borrowing crypto before the apps could calculate the debt, which would prevent further borrowing.<\/p>\n<p>The attacker ran this exploit, continually borrowing against the same collateral they were posting until the funds were drained from the protocols.<\/p>\n<p>Shegen told Cointelegraph that while the smart contract on Agave is essentially the same as Aave, which secures $18.4B, \u201cevery security researcher has audited it,\u201d she said \u201cso it\u2019s reasonable to assume the contract is safe.\u201d<\/p>\n<p>\u201cI think this hack stands out more than some bigger ones,\u201d Shegen said, noting that even if it&#8217;s a smaller hack compared to others that stole millions more, the similarity to Aave meant \u201cit seems top tier safe, but wasn&#8217;t, and that break of trust hurts.\u201d<\/p>\n<blockquote><p>\u201cIt\u2019s like you can&#8217;t even trust \u201csafe\u201d code.\u201d<\/p><\/blockquote>\n<p>Blockchain security researcher Mudit Gupta <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/Mudit__Gupta\/status\/1503783647903576065\">says<\/a> the difference between Aave and Agave is that \u201cAave actively checks for re-entrancy before listing tokens on the main net to avoid similar attacks.\u201d<\/p>\n<p>Shegen stated that she did not blame the Agave developers for failing to prevent the attack.<\/p>\n<p>\u201cAgave was used in an unsafe way\u201d, she said, \u201cmaybe the developer should not have allowed tokens with callbacks in them to be used in the platform, or added more re-entrancy guards.\u201d<\/p>\n<blockquote><p>\u201cCurve, for example, was not hacked today, because it has extra re-entrancy guards, but I don&#8217;t really blame Luigy and the Agave team because it&#8217;s so unlikely that this would have happened, and slipped past  many people.\u201d<\/p><\/blockquote>\n<p>Shegen also didn\u2019t point the blame at Gnosis for creating tokens with a callback function which the hacker exploited, saying that the feature stops users from accidentally losing their crypto. <\/p>\n<p>\u201cThat&#8217;s actually a great feature for bridged tokens, it&#8217;s just a really unfortunate, and unlucky circumstance in my opinion.\u201d<\/p>\n<\/div>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong>\n<\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more News articles, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/general\/\" target=\"_blank\" rel=\"noopener\">General category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/cointelegraph.com\/news\/unlucky-agave-and-hundred-finance-defi-protocols-exploited-for-11m\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8221; \u2018Unlucky\u2019: Agave and Hundred Finance DeFi protocols exploited for $11M &#8220; A hacker has made off with approximately $11 million in Wrapped ETH, Wrapped BTC, Chainlink, USDC, Gnosis, and Wrapped XDAI after using a \u201cre-entrancy\u201d attack on DeFi lending protocol applications Agave and Hundred Finance. The attack comes within 24 hours of news breaking&#8230;<\/p>\n","protected":false},"author":1,"featured_media":416813,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/images.cointelegraph.com\/images\/1200_aHR0cHM6Ly9zMy5jb2ludGVsZWdyYXBoLmNvbS91cGxvYWRzLzIwMjItMDMvMDUwMjIxNzgtMzkxMy00N2EwLTgzYWQtMWE0NTg5NWMxZGFkLmpwZw==.jpg","fifu_image_alt":"","footnotes":""},"categories":[1],"tags":[74894,74868,74891,74882,70944],"class_list":["post-416812","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-blockchain","tag-defi","tag-ethereum","tag-hacks","tag-hackers"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/416812","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=416812"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/416812\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/416813"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=416812"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=416812"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=416812"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}