Grim Finance Hacked: 600 Million in Crypto Stolen in December

TRM InsightsTRM Investigations
Grim Finance Hacked: 600 Million in Crypto Stolen in December

December 19, 2021

Key Findings

  • Over $600 million in cryptocurrency stolen in platform attacks in the first three weeks of December from BadgerDAO, BitMart, AscendEX, Vulcan Forged, and Grim Finance.
  • Cross-chain swaps and Tornado Cash dominated on-chain movements by attackers.
  • Attackers continue to target crypto platforms as 2021 comes to a close through phishing and contract exploits.

Decentralized Finance (DeFi) platform Grim Finance announced on the evening of December 18, 2021, that it suffered a hack resulting in over $30 million in losses. This is the third hack in the last week and the fifth for the month of December bringing total losses to over $600 million.

The official Grim Finance announcement (Source: Twitter)

Analysis by Grim Finance identified the platform compromise was carried out by an advanced attacker.

“The attacker attacked using the function titled beforeDeposit() from our vault strategy entering a malicious token contract. The attacker create a malicious token contract that executed five reentrancy loops from safeTransferFrom(), where in all 5 rentrancy, the _pool value is set to the current balance(). On the last safeTransferFrom(), the rentrancy loop is broken, and some want can be transferred to the strategy, which will increase the _amount to put the vault in a state to mint shares. On the unwinding of the 5 rentrancies, each loop will see that the _amount is not 0, and mint the corresponding shares, mint the same share count 5x (the number of rentrancy loops).”

Approximately one hour prior to the malicious token contract was created, the attacker funded both Ethereum (ETH) and Binance Smart Chain (BSC) wallets from Tornado Cash. The attacker bridged the stolen crypto from Grim Finance from the Fantom Mainnet to the ETH mainnet for USDC and DAI.

Cross-chain analytics within TRM’s Forensics platform (Source: TRM)

In addition to the inbound stolen funds bridged from Fantom mainnet, an unknown individual sent a message to the attacker via BSC to alert that wallets associated with the attacker were blacklisted.

A message sent to the attacker embedded within a BSC transaction (Source: FTMScan)

In what may be a first, the same unknown individual created a token on BSC called “BECAREFUL YOU WAS BLACKLISTED.” The attacker currently holds the “BECAREFUL YOU WAS BLACKLISTED” token.

TRM will continue to monitor on-chain attacker flows and update our systems so that TRM partners are automatically alerted of any exposure.

TRM Labs is the only tool with cross-chain analytics, which enables investigators to view cross chain swaps and multiple flows within one graph. Investigators can move seamlessly across blockchains to trace the flow of funds, visualize multi-layer relationships and drastically reduce investigation time with our proprietary technology for automated tracing. For more information, or to report leads contact us at investigations@trmlabs.com. Subscribe to our weekly insights here.

This is some text inside of a div block.

Access our coverage of TRON, Solana and 23 other blockchains

Fill out the form to speak with our team about investigative professional services.

Services of interest
Select
Transaction Monitoring/Wallet Screening
Training Services
Training Services
 
By clicking the button below, you agree to the TRM Labs Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Subscribe to our latest insights
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
You can unsuscribe at any time. Read our Privacy Policy.