Aave’s Earning Farm Suffers Reentrancy Attack

Reading Time: 2 minutes
  • Aave’s Earning Farm was recently compromised according to blockchain security firm PeckShield
  • The attack saw the platform lose over $280,000
  • It’s yet to be determined whether attack a weakness on some versions of the Vyper programming language is to blame

Aave’s Earning Farm was recently compromised through a reentrancy attack according to security firm PeckShield. The attack saw over $280,000 siphoned from the platform although it’s unclear whether the attack leveraged a weakness on some versions of the Vyper programming language mostly used by DeFi platforms. The weakness also caused havoc on Curve Finance with blockchain security experts warning that hackers are likely to use it to attack more DeFi platforms.

Not the First Misfortune

Earning Farm is yet to acknowledge the incident which isn’t its first misfortune. Last year, for example, the DeFi platform lost over 700 ETH in two separate flash loan attacks. The platform’s smart contracts were audited by popular blockchain security firm Slowmist. 

The platform promises “user-friendly investment tools for mass population” and offers access to USDC, wrapped Bitcoin (WBTC) and ETH to push for the adoption of blockchain-powered finance.

Hacked DeFi protocols are resulting in offering bug bounties in exchange for 90% of stolen funds. However, with funds in the hands of attackers, some prefer to allocate themselves a bigger bounty than offered while others decide to keep all the funds even when identities are revealed. 

Hacker Allocates Themselves 27% Bug Bounty

Curve Finance, for example, joined hands with other platforms compromised using the Vyper attack to offer a 10% bug bounty but the hacker only returned 73% of the funds, allocating themselves 27% as the right payout for finding the vulnerability.

The Mango Markets hacker, on the other hand, disclosed that he wishes to keep the funds despite his identity being revealed and taken to court.

With Earning Farm yet to acknowledge the security breach, it’s unclear whether they’ll reach out to the attacker for a deal.