$30 million stolen from DeFi protocol Grim Finance, audit firm apologizes for missing vulnerability

DeFi protocol Grim Finance said about $30 million was stolen this weekend by hackers exploiting a vulnerability in their platform. 

In a statement posted to Twitter on Saturday, Grim Finance said “an advanced attack” was taking place and initially paused all vaults to prevent more attacks. 

“The exploit was found in the vault contract so all of the vaults and deposited funds are currently at risk,” the company explained on Saturday night. “We have contacted and notified Circle (USDC), DAI, and AnySwap regarding the attacker address to potentially freeze any further fund transfers.”

Solidity Finance, a DeFi auditing firm, released an apology for missing the vulnerability that led to the incident. They audited Grim Finance just four months ago. 

The company said the cause of the issue was “the ability of users to input arbitrary addresses and have them called within the depositFor function.” 

“Via reentrancy, the issue allowed users to falsely increase their shares in Grim’s vaults and subsequently withdraw more than they had deposited,” Solidity Finance wrote on their website before linking to a longer Twitter thread where they said a new analyst missed the vulnerability while their CTO was on vacation. 

“When conducting the Grim Finance audit ~4 months ago, our firm was

Read More: https://www.zdnet.com/article/30-million-stolen-from-defi-protocol-grim-finance-audit-firm-apologizes-for-missing-vulnerability/#ftag=RSSbaffb68