Back to the list

GYM Network Protocol Hacked, $2.1 Million Stolen: Here's How

u.today 08 June 2022 17:25, UTC
Reading time: ~2 m

GYM Network is a cross-protocol DeFi aggregator designed to optimize the process of yield farming on BNB Chain and make it straightworward for newbies.

GYM Network allowed to increase balance without actually depositing money

As per the statement shared by PeckShield cybersecurity provider, GYM Network had one of its elements, GymSinglePool, attacked today, June 8, 2022.

The GymSinglePool of @GymNet_Official is hacked w/ the loss of $2.1m (~7.5K BNB). The bug is due to the lack of caller verification, which is exploited to increase the balance without making any payment. The stolen funds are now deposited via @TornadoCash https://t.co/I2eD8WBWXk pic.twitter.com/tUl3wnuIAW

— PeckShield Inc. (@peckshield) June 8, 2022

The architecture of the pool lacked a caller verification instrument: malefactors were able to increase their balances without sending money to them.

This design flaw was exploited with more than $2.1 million stolen. The attackers immediately started moving their loot to Tornado Cash transaction obfuscating service.

GYM, a core native utility and governance token of the protocol, immediately lost over 50% of its price, plunging from $0.00099 to $0.00048.

More protocols at risk?

Ironically, the protocol was audited twice by PeckShield itself and by CertiK. Also, it leverages Alpaca Finance's codebase which was audited 20 times.

Blockchain researcher Kyrian Alex (Kyrian.sol) highlighted that GYM Network is far from being the only protocol that contains a similar design flaw:

This isn't the first protocol being hacked because of "lack of caller verification". Seem I'll have to check out a lot of these clone protocols looking for this same vulnerability.

Team representatives confirmed the fact of attack. GYM Network's community coordinator explained that the vulnerability was disclosed in a new "Claim and Reinvest" instrument deployed two days ago.

By press time, the source of the bug has been identified and fixed, the team adds.

Back to the list