Grim Finance(grim.finance) got hacked 2 hours ago
Estimated loss: $40mln
One of the attacking transactions: ftmscan.com/tx/0x19315e5b1…
Attack Analysis:
#FTM #ETH #BSC #GrimFinance #GrimExploit
1/4
Estimated loss: $40mln
One of the attacking transactions: ftmscan.com/tx/0x19315e5b1…
Attack Analysis:
#FTM #ETH #BSC #GrimFinance #GrimExploit
1/4
1) Grab a Flashloan for XXX & YYY tokens (WBTC-FTM e.g.)
2) Add liquidity on SpiritSwap
3) Mint SPIRIT-LPs
4) call depositFor() in GrimBoostVault with token==ATTACKER, user==ATTACKER
5)Leverage token.safeTransferFrom for re-entrancy
6) goto (4)
2/4
2) Add liquidity on SpiritSwap
3) Mint SPIRIT-LPs
4) call depositFor() in GrimBoostVault with token==ATTACKER, user==ATTACKER
5)Leverage token.safeTransferFrom for re-entrancy
6) goto (4)
2/4
7) In the last step on re-entrancy call depositFor() with token==SPIRIT-LP, user==ATTACKER
8) Amount of minted GB-XXX-YYY tokens is increased in every level of re-entrancy
9) Attacker ends up holding huge amount of GB-XXX-YYY tokens
3/4
8) Amount of minted GB-XXX-YYY tokens is increased in every level of re-entrancy
9) Attacker ends up holding huge amount of GB-XXX-YYY tokens
3/4
10) Withdraw GB tokens and get more SPIRIT-LP tokens back
11) Remove liquidity and get more XXX and YYY tokens
12) Repay Flashloan
4/4
11) Remove liquidity and get more XXX and YYY tokens
12) Repay Flashloan
4/4
• • •
Missing some Tweet in this thread? You can try to
force a refresh
