⚔️ 🦉 Gnosis Chain Weekly · 18 March, 2022
Hack Retrospective
This week some Gnosis Chain users suffered an attack that drained two lending protocols on the GC. In this week’s update we provide more context around the circumstances and methods the attacker(s) used and look at some actionable steps that may be taken as a result. Following this we briefly touch on other updates from the week including some important GIPs that are now open to voting on Snapshot.
DeFi Lending Protocol Hack
On Tuesday 15 March, over the span of only a few minutes, more than $11M USD was drained from two DeFi protocols operating on the Gnosis Chain. The attacker(s) leveraged flash loans to instigate reentrancy attacks against Agave (forked from Aave) and Hundred Finance (forked from Compound) lending protocols.
Analysis of the attacks is ongoing with the involved protocols. Proposals related to this hack may be posted on the Gnosis Forum, please check there to participate 🙋🏼♀️ as a community member.
Hack Retrospective
The Gnosis Chain published a post mortem related to tokens leveraged in the exploit. As explained in the post mortem (below), legacy tokens bridged from the Ethereum mainnet to the Gnosis Chain included additional functionality to improve UX and avoid accidental locking in the bridge contract. Unfortunately, this functionality was exploited in tandem with missing guards against reentrancy from the impacted protocols, resulting in a flash loan-based hack unique to these forked protocols operating on the Gnosis Chain.
Below are several references that provide more insight into the attack. They include the Gnosis Chain post-mortem as well as some 3rd party analysis of the attacker’s methodology.
DeFi and Risk
We at Gnosis Chain feel for users and protocol developers whose funds were stolen and are sorry for those who lost substantial funds due to the actions of a malicious actor or actors. We will continue to assist the protocols to investigate this attack.
DeFi protocols offer a complicated balancing act between risk and reward for users. Each time a hack occurs lessons are learned and systems are hardened. Unfortunately, these improvements often come at the expense of DeFi adopters willing to risk their funds for high rewards within a multiplex ecosystem.
Protocols considered safe in one environment may need additional updates when forked to another chain. In this case, design patterns considered safe on Ethereum mainnet in the original protocols became unsafe when forked to Gnosis Chain. This was due to a difference in the token implementation for previously bridged tokens on Gnosis Chain in combination with different processes for assessing listable assets on the forked protocols (for example on mainnet Aave governance ensures no reentrant tokens are listed).
The hack also called attention to some issues with the source implementations which will likely lead to future improvements. Hundred.finance is a fork of Compound. Through investigations from this hack it was found that Compound is not currently implementing the recommended checks-effects-interactions pattern to prevent reentrancy. Had this been in place, the attack on Hundred Finance would not have been as impactful.
The bottom line is cutting-edge financial technology + many moving parts and dependencies = inherent risk…
and
…it is painful when assets are stolen.
Actionable Steps
While the funds from this hack are likely gone, there are several actions that can be explored by the community and team to address the situation.
Legacy bridged tokens (517 of them) on the Gnosis Chain contain the reentrant code in question. While most applications on Gnosis Chain currently guard against reentrancy, updating these legacy tokens could provide peace of mind for users as well as additional safeguards if a protocol did not implement the needed protection.
Previously created tokens are not upgradeable by design. To update these tokens, a hard fork (HF) would be the suggested solution. The Gnosis community is considering the HF procedure on Gnosis Chain along with associated details and timeframes to gauge community sentiment and discuss this approach.The GnosisDAO is open to community proposals related to supporting impacted users. Community members are sympathetic to the losses and a well-thought-out proposal that details how impacted protocols might move forward (and how future hacks would be prevented) would likely be discussed and considered by the Gnosis community.
Information about the nuances between Gnosis Chain and Ethereum should be better communicated to developers. Devs need to be aware that subtle differences between chains can necessitate changes to forked code. We will work to create more easily accessible materials that outline known differences and educate developers to the possible risks and solutions. While we can’t be responsible for projects and code deployed to Gnosis Chain, we can help to provide more accessible info about security and best practices.
We will explore bug-bounties related to individual projects on Gnosis Chain, insurance protocols, and other ways to help users if losses are incurred in future hacks. We are open to community proposals and suggestions for ways to prevent and protect against the next attacker that tries to exploit projects and users on the Gnosis Chain.
DAO Governance Summary
Two GIPs went live on Snapshot this week. Please vote!
GIP-24: Should GnosisDAO execute the 1st phase 50K GNO Incentives Program for Gnosis Chain as detailed in this forum post?
GIP-28: Allow GNO holders to vote even if their GNO are invested/staked/locked in Smart Contracts in different protocols/networks.
Seed Program Round 1 Complete
Round 1 of the Beacon Chain validator seed program was a big success. VIP (Validator Incentive Program) grants helped over 250 new participants get up-and-running including many attendees to our special validator event at EthDenver. We will look at the impacts of Round 1 and update the program to help onboard more diversity and decentralization in nodes for Round 2.
Thanks to everyone for your support and vigilance. DAO Governance will determine many of the next steps and what the future looks like for Gnosis Chain, so if this is important to you please let your voice be known on the forum. If you’d prefer to help impact change as a member of the Gnosis Team, there are many open positions available now!
See you on-chain,
The Gnosis Team