Grim Finance Hacked: 600 Million in Crypto Stolen in December

‍

Key Findings

• Over $600 million in cryptocurrency stolen in platform attacks in the first three weeks of December from BadgerDAO, BitMart, AscendEX, Vulcan Forged, and Grim Finance.
• Cross-chain swaps and Tornado Cash dominated on-chain movements by attackers.
• Attackers continue to target crypto platforms as 2021 comes to a close through phishing and contract exploits.

‍

Decentralized Finance (DeFi) platform Grim Finance announced on the evening of December 18, 2021, that it suffered a hack resulting in over $30 million in losses. This is the third hack in the last week and the fifth for the month of December bringing total losses to over $600 million.

‍

Analysis by Grim Finance identified the platform compromise was carried out by an advanced attacker.

“The attacker attacked using the function titled beforeDeposit() from our vault strategy entering a malicious token contract. The attacker create a malicious token contract that executed five reentrancy loops from safeTransferFrom(), where in all 5 rentrancy, the _pool value is set to the current balance(). On the last safeTransferFrom(), the rentrancy loop is broken, and some want can be transferred to the strategy, which will increase the _amount to put the vault in a state to mint shares. On the unwinding of the 5 rentrancies, each loop will see that the _amount is not 0, and mint the corresponding shares, mint the same share count 5x (the number of rentrancy loops).”

Approximately one hour prior to the malicious token contract was created, the attacker funded both Ethereum (ETH) and Binance Smart Chain (BSC) wallets from Tornado Cash. The attacker bridged the stolen crypto from Grim Finance from the Fantom Mainnet to the ETH mainnet for USDC and DAI.

‍

In addition to the inbound stolen funds bridged from Fantom mainnet, an unknown individual sent a message to the attacker via BSC to alert that wallets associated with the attacker were blacklisted.

‍

In what may be a first, the same unknown individual created a token on BSC called “BECAREFUL YOU WAS BLACKLISTED.” The attacker currently holds the “BECAREFUL YOU WAS BLACKLISTED” token.

TRM will continue to monitor on-chain attacker flows and update our systems so that TRM partners are automatically alerted of any exposure.

TRM Labs is the only tool with cross-chain analytics, which enables investigators to view cross chain swaps and multiple flows within one graph. Investigators can move seamlessly across blockchains to trace the flow of funds, visualize multi-layer relationships and drastically reduce investigation time with our proprietary technology for automated tracing. For more information, or to report leads contact us at investigations@trmlabs.com. Subscribe to our weekly insights here.