Auditors of the decentralized finance (DeFi) platform Grim Finance, which was exploited for USD 30m worth of digital assets on Sunday, claim that a new analyst had conducted the protocol’s audit while their Chief Technology Officer (CTO) was on vacation.
On December 19, Grim Finance informed users that the project was exploited by an external hacker. “The attacker attacked using the function titled beforeDeposit() from our vault strategy entering a malicious token contract,” the team detailed.
Approximately four months ago, Grim Finance was audited by Solidity Finance, a smart contract auditing service. The service said that the issue slipped through their auditing process as they were overwhelmed by the number of projects and busy onboarding new analysts.
“When conducting the Grim Finance audit ~4 months ago, our firm was experiencing rapid growth and hiring. This audit was performed by an analyst who was new to the team & while our CTO was on vacation; and unfortunately this issue was not caught in our peer review process,” Solidity Finance said.
According to Rugdoc.io, a DeFi watchdog, the Grim Finance hacker used a reentrancy attack, faking additional deposits into a vault while an initial transaction was still going. This way, they managed to withdraw more funds than they had truly deposited into the vault.
Rugdoc.io also criticized Grim Finance over its weak security measures, suggesting that the project should have used a reentrancy guard, which can prevent more than one function from being executed at a time by locking the contract.
“Hopefully all projects can draw lessons from this incident that there is much knowledge most experienced solidity devs have at hand,” Rugdoc.io tweeted. “If you haven’t acquired this yet, don’t build multi-million dollar projects. Don’t get audits from companies which everyone knows are useless.”
Following the hack, the Grim Finance team said that the vaults have been paused “to prevent any future funds from being placed at risk” and recommended users withdraw their funds as all of the vaults and deposited funds are at risk.
“We have contacted and notified Circle (USDC), DAI, and AnySwap regarding the attacker address to potentially freeze any further fund transfers,” the team said.
Meanwhile, the project’s native token GRIM plunged by 81.2% at the early hours of the hack, falling from nearly USD 0.8 to USD 0.15, according to CoinGecko. At 10:07 UTC, the coin is up 3.3% over the past 24 hours, and down 55% over the past week, trading at USD 0.25.