Grim Finance Suffers Reentrancy Attack, Loses $30M

  • The hacker made five deposits into the vault while the first was being processed by exploiting the protocol’s vault contract.
  • The project quickly paused its vaults, but not before the attacker stole around $30 million worth of digital assets, causing Grim Finance’s TVL to fall to $4 million.


Decentralized finance (DeFi) protocol Grim Finance has suffered from a reentrancy exploit, which saw the platform loose $30 million in assets, Grim Finance revealed via Twitter on 19 December.

According to the announcement, the hacker used an “advanced attack” to exploit the protocol’s vault contract using five reentrancy loops, which allowed him to make five deposits into a vault while the platform was processing the first deposit. Upon discovering the attack, Grim Finance quickly paused all of its vaults to prevent further damages, but the attacker’s address already had over $30 million worth of stolen assets. The platform tweeted on Sunday:

The platform — which allows users to stake liquidity provider tokens on the Fantom blockchain — advised users to withdraw all of their assets “immediately”. It has also notified major crypto players — such as USD Coin (USDC) Circle, Maker DAO, and AnySwap — regarding the exploit, and requested that any assets related to the hack be frozen.

According to data from analytics tool DeFiLlama, the project had attracted around $100 million in total value locked (TVL) prior to the attack, which caused an exodus and left the project with just over $4 million in TVL. Such an occurrence is not strange in the DeFi world as shown by Vee Finance, which back in September lost $35 million worth of assets on an exploit, that saw its TVL crash from almost $130 million to $7 million currently.

Related Coverage
Prominent Developer Andre Cronje Leaves DeFi
  • One of the most prominent figures in DeFi, Andre Cronje, has decided to withdraw from the space, and “terminate” his involvement with 25 projects.
  • While he has not been involved in the day-to-day operations of many of these projects for years, they still saw the price of their tokens drop after the announcement.
March 7, 2022, 3:42 PM


QiDAO Loses $13M After Superfluid Vesting Contract Exploit
  • QiDAO has assured users that their funds remain safe, with information suggesting that the stolen $13 million belonged to early backers and investors in QiDAO.
  • Superfluid’s team noted that the attack may have been a “potential protocol layer exploit”, and advised users to unwrap their assets as a precaution.
Zabu Project Loses $3.2M in Latest DeFi Hack
  • According to security firm PeckShield, the bug used by the attacker is well known, and has been used “many times before”.
  • Zabu has expressed its intentions to return the stolen tokens to investors, based on their balances before and after the exploit.