Agave DAO + Hundred Finance (dual attack): ERC677 callAfterTransfer() reentrancy — flash loan collateral → nested borrow calls before debt balance update → multi-asset drain
The same attacker drained $5.5M from Agave and $6.2M from Hundred Finance in a 3-minute window on Gnosis Chain — both forks vulnerable to the same ERC677 token callback reentrancy, 7 months after Cream Finance fell to the identical attack class on Ethereum.
Summary #
Agave DAO + Hundred Finance (dual attack) suffered a Lending / Money Market on 2022-03-15, resulting in a loss of approximately $12M.
What happened #
The same attacker drained $5.5M from Agave and $6.2M from Hundred Finance in a 3-minute window on Gnosis Chain — both forks vulnerable to the same ERC677 token callback reentrancy, 7 months after Cream Finance fell to the identical attack class on Ethereum.
Linked factors #
- RD-F-001 — causal : ★ Audit scope mismatch — alternate field name [via dashboard_risk_factors/Exploited code in scope?: No — the xDai token callback compatibility risk was not in audit scope]
- RD-F-006 — causal : Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: No — established forks; no recent upgrades]
- RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Agave: Yes (Aave-like program); Hundred: Unknown]
- RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes — both are forks (Aave V2 and Compound respectively)]
- RD-F-127 — related : Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked?: Yes — both are forks (Aave V2 and Compound respectively)]