Growth DeFi Hack

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Growth DeFi

A successfully audited smart contract still contained an exploit. This exploit enabled a very smart individual to extract funds from the platform's hot wallets. That smart individual decided to keep the money.

Affected users are given the equivalent of 15% of their money back.

This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17]

About Growth DeFi

"GROWTH claims to be a DeFi ecosystem on the Ethereum blockchain built to maximize yields from the top DeFi protocols, introducing liquidity provider exposure without suffering from impermanent loss." "Growth DeFi provides an easy way to maximize the yield users can generate with their tokens by using PMTs & gTokens, GRO is the token of the protocol and when staked it has governance rights over the stkGRO DAO and shares the profits generated from the fees charged in PMTs & gTokens." "[T]he project was successfully audited by Consensys Dilligence"

"An attacker created a Fake ERC-20 token named rAXZZ and an associated with it an Uniswap V2 Liquidity Pool paired it with GRO (GRO/rAXZZ)."

"Due to a vulnerability in the stkGRO/rAAVE contract — which did not properly check the match between the LP assets and the token being deposited — allowed the deposit to be accepted. It was forwarded to the Uniswap V2 Router which routed (as instructed by the stkGRO/rAAVE) the swap and subsequent liquidity provision via the fake LP."

"The 5056 GRO/rAXZZ LP shares obtained were then mistakenly taken by the stkGRO/rAAVE contract as legitimate GRO/rAAVE LP shares. It then accepted them in exchange for 14513 newly minted stkGRO/rAAVE shares."

"Once on hold of the 14513 stkGRO/rAAVE shares the attacker proceeded to withdraw the 5056 GRO/rAAVE LP shares from the stkGRO/rAAVE contract using the simple withdrawal function, that returns to the staker GRO/rAAVE LP shares and burns the provided stkGRO/rAAVE shares."

"The team will further review the contracts and provide a new deployment for the staking contracts at the right time."

"We have decided to migrate rAAVE to a new token called gROOT which won’t rebase, this is being done to mitigate future vulnerabilities that may come up otherwise with rebasing."

"We have taken snapshots of the farming LP balances before the exploit happened. 1.4 MM $ was drained by the attacker, of which 12% was from users (168,000 $). We will issue 168,000 SAFE proportionally to the stkGRO/rAAVE tokens held in the farming contract before the exploit happened."

"SAFE tokens will be airdropped to BSC wallets. SAFE tokens will be bought up in the future for up to 1$ each as the protocol earns fees from the different products it offers, it won’t be instant but eventually all of the tokens will be bought back and destroyed."

As one affected user Francis said, "We should be getting the value of our gro back at the time the snapshot was taken before the hack. You are penalising investors for the hack by paying us the value after he had market dumped everything and crashed the price. Or at the very least you should pay us back in $gro like we deposited, so we have the chance for the price to rebound and recover our money. This way you are capping our compensation at like 15% of what we put in. This was an error on your part and you are penalising us for it. This isnt making things right?"

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Growth DeFi Hack
Date Event Description
February 8th, 2021 Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost has been estimated at $1,300,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

General Prevention Policies

It's impossible to prove definitively that a smart contract is secure, and smart contracts operate live, enabling a hacker to steal funds immediately.

On the other hand, an offline air-gapped wallet is not remotely reachable, and when setting up so multiple signatures are required for withdrawals, this can prevent theft by any single individual.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Rekt - Leaderboard (May 13, 2021)
  2. Rekt - The Big Combo (Growth DeFi - REKT) (May 16, 2021)
  3. @r0bster97 Twitter (May 19, 2021)
  4. Raave Farming Contract Exploit Explained (May 19, 2021)
  5. Ethereum Transaction Hash (Txhash) Details | Etherscan (May 19, 2021)
  6. $GRO Growth defi hacked : CryptoMoonShots (May 19, 2021)
  7. Growth DEFI crypto assets company being totally dismissive on their investors : RevolutionarySider (May 19, 2021)
  8. How To Buy GrowthDeFi GRO (May 19, 2021)
  9. BlockThreat Week 6 2021 (May 19, 2021)
  10. GrowthDefi Homepage (May 20, 2021)
  11. Growth Defi V1 | ConsenSys Diligence (May 20, 2021)
  12. @GrowthDefi Twitter (May 20, 2021)
  13. @GrowthDefi Twitter (May 20, 2021)
  14. The Future Of Raave (May 20, 2021)
  15. GitHub - GrowthDeFi/growthdefi-v1-core: GrowthDeFi V1 Core smart contracts (Jun 27, 2021)
  16. blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11, 2021)
  17. security/2021-02-10-Growth-Defi.md at master · OriginProtocol/security · GitHub (Aug 11, 2021)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Growth_DeFi_Hack&oldid=3945"