Crypto protocols (bridge, DeFi) are regular targets of hackers, who are not idle, even in summer. The developers of smart contracts as full of holes as Swiss cheese, are not idle either. Big mistakes in the code leave some protocols open to unlikely attacks. After the Nomad hack ($190 million), here is the Reaper Farm.
This is the story of a not-so-smart contract
Smart contract auditing firm Paladin revealed a few hours ago on Twitter a new hack in the decentralized finance (DeFi) ecosystem. This time it’s Reaper Farm, which has seen more than $1.7 million siphoned off according to early estimates.
While this is an impressive sum, it seems negligible compared to other recent hacks. Which doesn’t make it any less serious, of course. But the real seriousness of the situation lies in the unthinkable weakness in the code of the Multi Strategy vaults’ smart contract.
According to Paladin, the hacker managed to impersonate the legitimate receiver of the withdrawals. This hack was enabled by the use of the ERC4626 token standard. It allows to authorize other users to withdraw funds. He exploited a blind spot left by the platform team.
The team reacts quickly and well
The official twitter account of Reaper Farm reacted in late afternoon, less than twenty-four hours after spotting the attack. The team posted a post, spelling out the initial details and pledging to reimburse the damaged users right away.
The team managed to salvage 10% of the blocked funds on the Multi Strategy smart contract… by exploiting the flaw themselves. This was perhaps the best option once the hack was identified. A commendable initiative, but unfortunately rather vain.
The developers acknowledge their responsibility in this attack, linked to a lack of internal vigilance. According to @moonsdontburn (image above), three lines of code would have done the trick.
A lack of external audits is cited after the implementation of certain features and in particular that of the ERC-4626. After a last minute change (with audits performed for the old technical-economic model), the necessary steps were not taken in terms of security.
On his side the hacker sent funds to Binance Smart Chain and Ethereum bridges. He then mixed the stolen tokens in order to confuse the tracks on the blockchain. The team announces that it will increase communications and that a repayment plan will be established after internal discussions.
