He steals $1.7 million worth of cryptocurrency in one click thanks to a dumb bug

Same day, different hack – Crypto protocols (bridge, DeFi) are the regular targets of hackers, who are not idle, even in summer. Developers of smart contracts as holey as Swiss cheese are not idle either. Big errors in code leave some protocols vulnerable to unlikely attacks. After the Nomad hack ($190 million), here is the Reaper Farm, the broke reaper.

This is the story of a not very smart contract

The smart contract auditing firm Paladin revealed a few hours ago on Twitter a new hack in the ecosystem of decentralized finance (DeFi). This time it was Reaper Farm that saw more than $1.7 million siphoned off according to early estimates.

Although this sum is impressive, it seems negligible compared to other recent hacks. Of course, that doesn’t make it any less serious. But the real gravity of the situation rests on the unthinkable weakness in the code of the smart contract of the safes Multi Strategy.

Indeed, according to Paladin the hacker managed to pass himself off as the legitimate receiver of the withdrawals. This hack was authorized by the use of the ERC4626 token standard. It allows to authorize other users to withdraw funds. He exploited a blind spot left by the platform team.

>> Run quickly to buy your first bitcoins on Bitstack … and win 5€ worth of BTC with the code JDC5 (commercial link) >>

The team reacts quickly and well

The official Reaper Farm twitter account reacted in the late afternoon, less than twenty-four hours after identifying the attack. The team released a autopsydetailing the first details and immediately committing to reimburse the injured users.

The team managed to save 10% of the funds blocked on the smart contract Multi Strategy…by exploiting the flaw itself. This was perhaps the best option once the hack was identified. A commendable initiative, but unfortunately quite futile.

The ERC4626 token standard in question in the attack

The developers recognize their responsibility in this attack, linked to a lack of internal vigilance. According to @moonsdontburn (image above), three lines of code would have done the trick.

A lack of external audits is cited after the implementation of certain functionalities and in particular that of the ERC-4626. After a last-minute change (with audits carried out for the old technical-economic model), the necessary was not done in terms of security.

For his part, the hacker sent funds to Binance Smart Chain and Ethereum bridges. He then mixed the stolen tokens in order to cover the tracks on the blockchain. The team announces that it will increase communications and that a reimbursement plan will be established after internal discussions.

Save in cryptos without fear of price fluctuations or hacks. To buy Bitcoin without even realizing it, and in complete safety, Register on Bitstack… and earn €5 of BTC for free thanks to the code JDC5 by launching your first strategy (commercial link)!

Leave a Comment