Steal $ 1.7 million worth of cryptocurrency in one click thanks to a silly bug

Same day, different hack – Crypto protocols (bridge, DeFi) are the regular targets of hackers, who are not idle, even in the summer. Developers of smart contracts, as flat as Swiss cheese, are also not inactive. Large errors in the code leave some protocols vulnerable to unlikely attacks. After the Nomad hack ($ 190 million), here is Reaper Farm, the green harvester.

This is the story of an unintelligent contract

Smart contract auditing firm Paladin revealed a new hack in the decentralized finance ecosystem (DeFi) a few hours ago on Twitter. This time it was Reaper Farm which saw more than $ 1.7 million stolen according to first estimates.

While this sum is impressive, it seems negligible compared to other recent hacks. Of course, this doesn’t make it any less serious. But the real gravity of the situation lies in the unthinkable weakness of the safe smart contract code Multi-strategy.

According to Paladin, in fact, the hacker managed to pass himself off as the legitimate recipient of the withdrawals. This hack was enabled by the use of the ERC4626 token standard. Allows you to authorize other users to withdraw funds. He exploited a blind spot left by the platform team.

>> Run quickly to buy your first bitcoins on Bitstack … and win 5 € of BTC with the JDC5 code (commercial link) >>

The team reacts quickly and well

Reaper Farm’s official twitter account reacted in the late afternoon, less than 24 hours after spotting the attack. The team released a post mortemspecifying the first details and immediately committing to reimburse injured users.

The team managed to save 10% of the funds blocked on the smart contract Multi-strategy… exploiting the defect itself. This was perhaps the best option once the hack was identified. A commendable initiative, but unfortunately quite futile.

The ERC4626 token standard involved in the attack

The developers acknowledge their responsibility in this attack, which is linked to a lack of internal vigilance. According to @moonsdontburn (image above), three lines of code would have done the trick.

A lack of external audits is cited after the implementation of some functionalities and in particular that of the ERC-4626. After a last minute change (with audits carried out for the old technical-economic model), the necessary safety measures have not been done.

For his part, the hacker sent funds to the Binance Smart Chain and Ethereum bridges. He then mixed the stolen tokens to cover the tracks on the blockchain. The team announces that it will increase communications and that a repayment plan will be established after internal discussions.

Save in cryptocurrencies without fear of price fluctuations or hacks. To buy Bitcoin without even realizing it, and in complete safety, register on Bitstack… and earn 5 € of BTC for free thanks to the JDC5 code by launching your first strategy (trade link)!

Leave a Comment