Grim Finance Hack—Dec 19, 2021—Detailed Analysis Report

Overview

Grim Finance, a DeFi protocol on the Fantom Opera blockchain, suffered a significant security breach on December 19, 2021, through a reentrancy attack, leading to a loss of approximately $30 million.

This advanced exploit involved the attacker obtaining tokens via a flash loan, manipulating the GrimBoostVault contract’s depositFor() function without proper validation checks, and subsequently withdrawing an inflated amount of collateral.

The exploit highlights critical vulnerabilities in smart contract design and the need for robust security measures in the DeFi ecosystem.

About Grim Finance

Grim Finance, a DeFi protocol specialized as a “compounding yield optimizer,” is designed to enhance yields for its users through automated investment strategies.

Launched on the Fantom Opera blockchain, it mirrors the functionalities of Ethereum’s Yearn.Finance, enabling users to deposit cryptocurrencies into various “vaults” for yield optimization.

Prior to the hack, Grim Finance had impressively amassed a total value locked (TVL) of $98.9 million, showcasing its significant footprint in the DeFi sector.

The protocol had also established noteworthy collaborations with multiple projects in the space, such as Tomb, Beefy, FTM Alerts, and SpiritSwap, further cementing its presence and influence within the decentralized finance community.

Root Cause of the Hack

Primary Reason for the Hack
The hack was primarily due to a vulnerability in the depositFor function of the GrimBoostVault contract. This function failed to validate the token addresses passed by users, lacking a reentrancy guard. Consequently, a malicious contract could reenter the depositFor() multiple times, manipulating the collateral.

Contract Address: 0xdefc385d7038f391eb0063c2f7c238cfb55b206c (GrimBoostVault)

What is a Reentrancy Hack?

In a reentrancy attack, a contract is tricked into calling an external contract multiple times before its first invocation is completed, leading to unexpected behaviors like draining funds.

Detailed Technical Analysis

Initial Steps of the Attack

Obtaining Initial Funds

• Flash Loan Acquisition: The attacker initiated the process by borrowing Wrapped Fantom (WFTM) and Bitcoin (BTC) tokens through a flash loan.
• Liquidity Provision: These borrowed tokens were then added to Spirit Swap, a decentralized exchange, to obtain Spirit-LP (Liquidity Provider) certificates. Exploiting Grim Finance

Using the Spirit-LP Certificates

• Collateral Deposit: The attacker used the obtained Spirit-LP certificates as collateral by interacting with Grim Finance’s GrimBoostVault contract through the depositFor() function.
• Function Mechanics: depositFor() allows a user to specify a token for deposit and transfers it to the Grim Boost Vault using safeTransferFrom(). The collateral is determined based on the value difference received by the policy pool before and after the transfer. Core of the Reentrancy Attack

Manipulating the depositFor() Function

• Bypassing Validity Checks: The depositFor() function lacked a crucial check for the validity of the specified funds, leading to the core vulnerability. The attacker exploited this by passing the address of their malicious contract as the token contract.
• Triggering Reentrancy: When GrimBoostVault called the transferFrom function of the malicious contract, the contract re-invoked depositFor(). This allowed multiple reentries into the vault, using the same collateral (SPIRIT-LP certificates) repeatedly.
• Artificial Collateral Inflation: Each reentry into the GrimBoostVault contract falsely inflated the collateral value, leading to an imbalance in the expected and actual tokens within the vault. Conclusion of the Attack

Withdrawing Excess Funds

• Exploiting Collateral Imbalance: The repeated reentries allowed the attacker to access more collateral than originally provided. This enabled them to withdraw an excessive amount of SPIRIT-LP liquidity certificates from the GrimBoostVault contract.
• Liquidation and Loan Repayment: The attacker then liquidated these SPIRIT-LP certificates back into WFTM and BTC tokens and used these to repay the initial flash loan, completing the fraudulent cycle. The attacker successfully exfiltrated approximately $30 million from Grim Finance through this sophisticated reentrancy attack.

Attacker’s Address: https://ftmscan.com/address/0xdefc385d7038f391eb0063c2f7c238cfb55b206c

Reference Attack Transaction: https://ftmscan.com/tx/0x19315e5b150d0a83e797203bb9c957ec1fa8a6f404f4f761d970cb29a74a5dd6

Stolen Fund Details

Fund Movement and Laundering

Laundering Activities: After the attack, the hacker engaged in the laundering of the stolen funds, primarily through stablecoin transfers. This included interactions with Fantom-based decentralized exchanges like SpookySwap, where they exchanged stolen tokens for stablecoins.

Transaction Trail: The hacker’s transaction history reveals a pattern of activity aimed at converting illicitly obtained assets into forms that are harder to trace and freeze.

Notification and Freezing Attempts

Immediate Actions: Grim Finance promptly alerted key entities in the crypto space about the breach and the attacker’s address. This included Circle (USDC), DAI, and AnySwap. The objective was to potentially freeze any further fund transfers and prevent the further movement of stolen assets.

Public Disclosure: Grim Finance disclosed these measures in a tweet, underscoring the urgency and gravity of the situation.

Hack Aftermath: Impact and Response

Vaults Paused: In response to the attack, Grim Finance initially paused all vaults to prevent further exploitation. This was a critical step to halt any additional unauthorized withdrawals or attacks leveraging the same vulnerability.

Reactivation of Vaults: Subsequent to the initial response, Grim Finance planned for selective reactivation of certain vaults. This was intended to allow users to safely withdraw their funds, recognizing that all funds deposited remained at risk due to the exploit being in the vault contract. Financial and Market Impact

Token Price Impact: The native token of Grim Finance, GRIM, suffered a massive loss in its market value, plummeting by approximately 70%. At the time of the report, the GRIM token was trading at around $0.23.

Total Value Locked (TVL): The TVL in Grim Finance witnessed a dramatic decrease from $98.9 million to a mere $4.2 million post-attack, highlighting the severe financial impact of the hack. Communications and External Support

Official Statements: Grim Finance issued statements via Twitter and other channels, describing the incident as an “advanced attack” and detailing their immediate and ongoing responses.

Community Support: Despite the hack, Grim Finance received expressions of support from various projects in the DeFi space, including Tomb, Beefy, FTM Alerts, and SpiritSwap. This support is crucial for recovery and rebuilding user trust.

Audit and Oversight: A third party auditor, which had audited Grim Finance’s contracts four months prior to the incident, issued an apology for missing the vulnerability. They noted a lapse in their review process, attributing it to a new analyst’s oversight during the CTO’s absence. Compensation and Future Measures

Compensation Plans: Grim Finance has the responsibility to compensate affected users, a task compounded by the significant financial loss and devaluation of its assets.

Security Enhancements: Moving forward, Grim Finance is expected to implement more stringent security measures, including more rigorous smart contract audits and enhanced monitoring protocols, to prevent similar exploits in the future.

Mitigation Steps to Avoid Such Hacks

Precautionary Measures:

1. Implementing thorough validation of user-input addresses in smart contracts.
2. Incorporating reentrancy guards in functions that interact with external contracts.
3. Regular and comprehensive security audits by experienced firms.
4. Continuous monitoring and updating of smart contract protocols to address new vulnerabilities.

Conclusion

The Grim Finance hack underlines the critical need for rigorous smart contract security, especially in the burgeoning DeFi sector.

The exploitation of a reentrancy vulnerability led to significant financial loss and a drop in user confidence. This incident serves as a reminder of the importance of comprehensive security practices, including blockhain and smart contract audit by reputable firms like ImmuneBytes, to identify and mitigate such vulnerabilities in the blockchain ecosystem.