On August 9, blockchain security company PeckShield unveiled a fresh vulnerability that has targeted decentralized finance (DeFi) projects. The attack was aimed at Aave's Earning Farm and has resulted in the theft of approximately $287,000 worth of ether, according to PeckShield.
The attack in question is known as a reentrancy attack, a technique analogous to tricking an ATM into dispensing money repeatedly before it detects that there are no funds left. In the context of blockchain systems, this involves exploiting the mechanism of repeatedly calling func actions that interact with smart contracts before the initial function call is finished. This grants attackers access to more resources than they should rightfully have.
The connection between this attack and a vulnerability in the Curve Finance mining pool remains uncertain. Just recently, on July 30, Curve Finance's stable pool experienced a reentrancy attack, leading to losses exceeding $61 million. The root of the Curve hack was linked to a flaw affecting three iterations of the Vyper programming language, commonly used in DeFi protocol development.
Earning Farm, which seeks to provide a user-friendly protocol for Ethereum, Wrapped Bitcoin (wBTC), and USD Coin holders, had previously been audited by security firm Slowmist for its blockchain contracts. This is not the first time the protocol has fallen victim to an attack. In October 2022, Earning Farm's EFLeverVault was targeted in two malicious hacks, resulting in the loss of 750 ETH from the protocol.
Flash loan attacks, such as the one used against Earning Farm, involve borrowing substantial amounts of cryptocurrency within a single transaction. Hackers manipulate the cryptocurrency's value through a series of transactions and subsequently repay the borrowed funds in the same transaction. These attacks exploit temporary imbalances and inconsistencies in prices within the system to generate profit.
