Full Report
Gnosis Chain's native token xDAI contains the non-standard hook callAfterTransfer in their token. This surprised many protocols, leading to security issues down the road. Hundred Finance is a fork of Compound. It does not implement the checks-effects-interactions pattern that is recommended to prevent reentrancy, even though it mentions it. Because of this and the hook, a reentrancy attack is possible. First, an attacker deposited 2 million as collateral of one asset. Then, they borrowed assets based upon their collateral - 1.5 million. However, the borrow amount variable update for a user is after the transfer. Since we have the hook in the transfer, we can reenter the smart contract without the users borrowed amount being updated. As a result, an attacker can enter the contract and borrow funds from a different asset. This allows them to borrow more funds than their collateral if this is repeated. Agave is a fork of Aave. Although Aave tries to do the checks-effects-use pattern, one path was not secure against this. Why isn't Aave vulnerable to this then? Aave governance actively checks for reentrancy bugs prior to listing tokens on the mainnet. Overall, a silly issue in a standard token. Defense in depth matters!
Analysis Summary
# Incident Report: Reentrancy Exploitation of Agave and Hundred Finance
## Executive Summary
Agave (an Aave fork) and Hundred Finance (a Compound fork) were exploited on the Gnosis Chain due to a reentrancy vulnerability triggered by the non-standard xDAI bridged token. Attackers leveraged the `callAfterTransfer` hook in the xDAI token to bypass collateral checks and borrow assets far exceeding their deposited value. The incident resulted in significant liquidity drainage from both protocols.
## Incident Details
- **Discovery Date:** March 15, 2022 (Approximate based on disclosure)
- **Incident Date:** March 15, 2022
- **Affected Organization:** Agave, Hundred Finance
- **Sector:** Decentralized Finance (DeFi)
- **Geography:** Global / Gnosis Chain (formerly xDAI)
## Timeline of Events
### Initial Access
- **Date/Time:** March 15, 2022
- **Vector:** Exploitation of a non-standard ERC-20 hook.
- **Details:** The attacker utilized a smart contract to interact with xDAI. Because xDAI contains a `callAfterTransfer` hook, any transfer of the token notifies the receiver, allowing for arbitrary code execution.
### Lateral Movement
- **Mechanism:** Cross-Contract Reentrancy.
- **Details:** The attacker deposited 2 million in collateral to Hundred Finance. While borrowing assets, the protocol’s failure to implement the Checks-Effects-Interactions (CEI) pattern meant the `borrowAmount` variable was updated *after* the token transfer. The attacker used the `callAfterTransfer` hook to re-enter the contract and borrow against the same collateral multiple times before the first balance update was recorded.
### Data Exfiltration/Impact
- **Assets Stolen:** Multiple crypto-assets (including WBTC, WETH, and USDC) were drained from the lending pools of both Agave and Hundred Finance.
- **Impact:** The protocols were rendered insolvent as the "borrowed" amounts exceeded the value of the collateral provided by the attacker.
### Detection & Response
- **Discovery:** Flagged by security researchers (including Mudit Gupta) and automated on-chain monitoring.
- **Response Actions:** Public disclosure via social media to warn other protocols on Gnosis Chain; pausing of markets where possible.
## Attack Methodology
- **Initial Access:** Smart contract interaction via Gnosis Chain.
- **Persistence:** Not applicable; the attack was execution-based via atomic transactions.
- **Privilege Escalation:** Exploited logic flaws to gain "infinite" borrowing power.
- **Defense Evasion:** Used the legitimacy of the official xDAI bridge token to bypass standard security assumptions.
- **Discovery:** Attacker identified that Hundred Finance (Compound fork) and Agave (Aave fork) did not account for the non-standard behavior of the native bridge token.
- **Impact:** Reentrancy-driven drainage of liquidity pools.
## Impact Assessment
- **Financial:** Total losses exceeded $11 million across both protocols ($6M+ for Agave, ~$5M for Hundred Finance).
- **Data Breach:** None (on-chain transaction data is public).
- **Operational:** Both protocols were forced to halt operations and markets on the Gnosis Chain.
- **Reputational:** High; highlighted the risks of forking protocols without adapting to the specific architectural nuances of new chains.
## Indicators of Compromise
- **Behavioral Indicators:** Multiple `borrow` calls within a single transaction originating from a single caller; high-frequency interactions with the xDAI `callAfterTransfer` hook.
- **Contract Addresses:** [Defanged addresses would typically be listed here if explicitly provided in the source]
## Response Actions
- **Containment:** Protocols paused borrowing and lending functions to prevent further drainage.
- **Eradication:** Identification of the vulnerable code paths (non-CEI compliant functions).
- **Recovery:** Governance discussions regarding debt repayment and potential restarts of the markets.
## Lessons Learned
- **Key Takeaways:** Forking successful protocols (Compound/Aave) is dangerous if the underlying chain's infrastructure (like non-standard bridge tokens) differs from the original environment (Ethereum Mainnet).
- **Implementation Failures:** Even when code comments mention "Checks-Effects-Interactions," failing to strictly follow the pattern in the logic layer creates critical vulnerabilities.
## Recommendations
- **Strict CEI Adherence:** Ensure all state changes (updating borrow balances) occur before external calls (token transfers).
- **Protocol-Chain Awareness:** Conduct thorough audits of native chain tokens (e.g., xDAI, ERC-777, or bridged assets) before listing them as collateral.
- **Defense in Depth:** Implement global reentrancy guards (`nonReentrant` modifiers) on all sensitive functions, as governance-level checks (like those used by Aave) represent a vital layer of security.