Reentrancy Attacks Hit Aave Earning Farm, Curve Finance

On August 9, the blockchain security firm PeckShield disclosed new vulnerabilities affecting decentralized finance (DeFi) initiatives.

According to the company, a reentrancy attack compromised Aave Protocol’s Earning Farm, culminating in the theft of at least $287,000 worth of Ether.

A reentrancy attack is analogous to tricking an ATM into handing you money multiple times before it realizes you’re out of money.

This occurs when an assailant sneaks into and out of a money request, tricking the system into granting the attacker more funds than are available.

Similarly, in computer systems, adversaries use this tactic to gain unauthorized access or resources by repeatedly calling functions that interact with contracts before the initial function call has been completed.

It is unknown whether the assault is related to exploits on Curve Finance’s pools. On July 30, reentrancy attacks also targeted the stable pools of the DeFi protocol, depleting over $61 million.

The Curve breach was made possible by a vulnerability affecting three versions of the Vyper programming language, a common contract language used extensively by developers on DeFi protocols.

Earning Farm is intended to be an intuitive protocol for holders of Ether, wrapped Bitcoin (wBTC), and USD Coin. The security firm Slowmist audited its blockchain contracts, as stated on its website.

This is not the first assault against the protocol. In October 2022, Earning Farm’s EFLeverVault was compromised by two malicious flash loan assaults, draining 750 ethereum from the protocol.

In flash loan assaults, the hacker borrows a large amount of cryptocurrency in a single transaction, manipulates its value through a series of transactions, and then repays the loan in the same transaction. These attacks profit from price inconsistencies and transient system imbalances.