Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
Reproducible Foundry test fork from SunWeb3Sec/DeFiHackLabs. Clone the repo, run forge test against the file path above, and replay the exploit against a mainnet fork at the historical block. Use for reproduction only — not for live targets.
The DeFi project Earning.Farm suffered a reentrancy attack and lost 286 ETH (approximately $530,000). According to the analysis of SlowMist, the attacker re-enters the transfer function of LP to transfer LP tokens when withdrawing money, making the balance of the account smaller than the previously calculated shares value, triggering the logic of updating the shares value, resulting in the number of manipulated LPs being updated to the desired value. In terms of the value of the burned shares, this resulted in the final amount of LP burned being much smaller than expected, and the user can withdraw the funds in the pool by withdrawing the transferred LP again. Attack method (per SlowMist): Reentrancy Attack. Reported loss: $ 530,000.
- chain
- —
- protocol
- Earning.Farm
- bug_class
- reentrancy
- date_occurred
- 2023-08-09
- loss_usd
- $530,000
- source_id
- sm:earning-farm::2023-08-09