Blockchain security firm PeckShield revealed fresh vulnerabilities targeting decentralized finance (DeFi) projects on Aug. 9. According to the firm, Aave’s Earning Farm has been compromised by a reentrancy attack, resulting in the theft of at least $287,000 worth of Ether (ETH).
— PeckShield Inc. (@peckshield) August 9, 2023
A reentrancy attack is like tricking an ATM into giving you money multiple times before it realizes you have none left. This happens by sneaking in and out of a money request, fooling the system into granting an attacker more funds than it has available. Similarly, in computers, attackers exploit this trick to get more access or resources than they should by calling functions that interact with contracts repeatedly before the first function call is completed.
It’s unclear whether the attack relates to the exploits on Curve Finance’s pools. The DeFi protocol’s stable pools were also targeted by reentrancy attacks on July 30, draining over $61 million. The Curve hack was enabled by a vulnerability affecting three versions of the Vyper programming language, a common contract language widely used by developers on DeFi protocols.
Related: Curve-Vyper exploit: The whole story so far
Earning Farm is designed to be a user-friendly protocol for Ether, wrapped Bitcoin (wBTC) and USD Coin (USDC) holders. As stated on its website, the security firm Slowmist audited its blockchain contracts.
This isn’t the first time the protocol has been attacked. In October 2022, Earning Farm suffered two malicious hacks on its EFLeverVault through flash loan attacks, draining 750 ETH from the protocol. In flash loan attacks, the hacker borrows a large sum of cryptocurrency in a single transaction, manipulates its value through various transactions, and then pays back the loan — all within the same transaction. These attacks exploit price inconsistencies and temporary imbalances in the system to profit.
Magazine: Deposit risk: What do crypto exchanges really do with your money?