GYM Network Protocol Hacked, $2.1 Million Stolen: Here’s How


article image

Vladislav Sopov

An error in a single function of a liquidity pool codebase resulted in seven-digit losses

Contents

GYM Network is a cross-protocol DeFi aggregator designed to optimize the process of yield farming on BNB Chain and make it straightworward for newbies.

GYM Network allowed to increase balance without actually depositing money

As per the statement shared by PeckShield cybersecurity provider, GYM Network had one of its elements, GymSinglePool, attacked today, June 8, 2022.

The architecture of the pool lacked a caller verification instrument: malefactors were able to increase their balances without sending money to them.

This design flaw was exploited with more than $2.1 million stolen. The attackers immediately started moving their loot to Tornado Cash transaction obfuscating service.

Ads

GYM, a core native utility and governance token of the protocol, immediately lost over 50% of its price, plunging from $0.00099 to $0.00048.

More protocols at risk?

Ironically, the protocol was audited twice by PeckShield itself and by CertiK. Also, it leverages Alpaca Finance’s codebase which was audited 20 times.

Blockchain researcher Kyrian Alex (Kyrian.sol) highlighted that GYM Network is far from being the only protocol that contains a similar design flaw:

This isn’t the first protocol being hacked because of “lack of caller verification”. Seem I’ll have to check out a lot of these clone protocols looking for this same vulnerability.

Team representatives confirmed the fact of attack. GYM Network’s community coordinator explained that the vulnerability was disclosed in a new “Claim and Reinvest” instrument deployed two days ago.

By press time, the source of the bug has been identified and fixed, the team adds.

Source: https://u.today/gym-network-protocol-hacked-21-million-stolen-heres-how