NewsDeFi

Grim Finance Hacked for $30 Million in Fantom Tokens

Grim Finance is the latest DeFi protocol to be hit by an exploit.

2 min read

In brief

  • Grim Finance is a "compounding yield optimizer" built on the Fantom Opera blockchain.
  • It was the target of a multimillion dollar exploit Saturday.

What, did you expect something named "Grim" to deliver good news?

Grim Finance, a DeFi protocol, was hacked for $30 million worth of tokens Saturday, it confirmed, in an "advanced attack." According to a tweet from the project, "The exploit was found in the vault contract so all of the vaults and deposited funds are currently at risk."

Grim calls itself a "compounding yield optimizer," meaning it promises to wring extra value from liquidity provider tokens that users receive from decentralized exchanges if they lock them up in a Grim vault. Grim touts in its protocol documentation, "Helping users reap more rewards, hassle-free."

The protocol is built atop the Fantom Opera blockchain, a smart contract-enabled platform that is built using the Solidity language and is compatible with Ethereum. The hacker used a reentrancy attack, which is an exploit that allows someone to fake additional deposits into a vault while an initial transaction is still going, thereby tricking the protocol. 

"We have contacted and notified Circle (USDC), DAI, and AnySwap regarding the attacker address to potentially freeze any further fund transfers," Grim tweeted, but the attacker has already been busy laundering the ill-gotten funds through stablecoin transfers.

Rugdoc.io, a DeFi watchdog group of smart contract auditors and investors, says Grim Finance should have known better and used a reentrancy guard.

"Hopefully all projects can draw lessons from this incident that there is much knowledge most experienced solidity devs have at hand," it tweeted. "If you haven't acquired this yet, don't build multi-million dollar projects. Don't get audits from companies which everyone knows are useless."

Grim shared an audit of its finance token and vault contracts from Solidity Finance. According to Solidity Finance's report, "ReentrancyGuard is used in relevant locations to preent [sic] reentrancy attacks."

As of Sunday afternoon, all deposits into Grim Finance vaults remain paused to prevent further theft.

Want to be a crypto expert? Get the best of Decrypt straight to your inbox.

Get the biggest crypto news stories + weekly roundups and more!