Gym Network (GymNet): Missing caller verification — fake deposits via unchecked balance inflation → withdraw drain
Gym Network lost $2.1M when a new "Claim and Pool" feature deployed 2 days after their audits was found to lack any caller verification, letting an attacker create fake deposits and withdraw them for real tokens.
Summary #
Gym Network (GymNet) suffered a Yield Aggregator on 2022-06-10, resulting in a loss of approximately $2M.
What happened #
Gym Network lost $2.1M when a new "Claim and Pool" feature deployed 2 days after their audits was found to lack any caller verification, letting an attacker create fake deposits and withdraw them for real tokens.
Linked factors #
- RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited code (post-audit addition)]
- RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — new Single Pool Contract with Claim and Pool feature deployed 2 days before exploit] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — new Single Pool Contract with Claim and Pool feature deployed 2 days before exploit]
- RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
- RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — built on top of Alpaca Finance (yield strategy layer)]
- RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — new Single Pool Contract with Claim and Pool feature deployed 2 days before exploit]