Blockchain security firm PeckShield revealed fresh vulnerabilities targeting decentralized finance (DeFi) projects on Aug. 9. According to the firm, Aave protocol’s Earning Farm has been compromised by a reentrancy attack, resulting in the theft of at least $287,000 worth of Ether (ETH).
— PeckShield Inc. (@peckshield) August 9, 2023
A reentrancy attack is like tricking an ATM into giving you money multiple times before it realizes you have none left. This happens by sneaking in and out of a money request, fooling the system into granting an attacker more funds than it has available. Similarly, in computers, attackers exploit this trick to get more access or resources than they should by calling functions that interact with contracts repeatedly before the first function call is completed.
It’s unclear if the attack relates to the exploits on Curve Finance’s pools. The DeFi protocol’s stable pools were also targeted by reentrancy attacks on July 30, draining over $61 million. The Curve hack was enabled by a vulnerability affecting three versions of the Vyper programming language, a common contract language widely used by developers on DeFi protocols.
Earning Farm is designed to be a user-friendly protocol for Ether, wrapped Bitcoin, (wBTC) and USD Coin (USDC) holders. As stated on its website, the security firm Slowmist audited its blockchain contracts.
This isn’t the first time the protocol has been attacked. In October 2022, Earning Farm suffered two malicious hacks on its EFLeverVault through flash loan attacks, draining 750 Ether from the protocol. In flash loan attacks, the hacker borrows a large sum of cryptocurrency in a single transaction, manipulates its value through various transactions, and then pays back the loan — all within the same transaction. These attacks exploit price inconsistencies and temporary imbalances in the system to profit.