According to a statement released by the cybersecurity provider PeckShield, GYM Network had one of its elements, GymSinglePool, attacked today, June 8, 2022.
The GYM Network is a cross-protocol DeFi aggregator designed to optimise the yield farming process on BNB Chain and make it simple for beginners.
The pool’s design lacked a caller verification tool, allowing malefactors to raise their balances without providing money to them.
More than $2.1 million was stolen as a result of this design flaw. The attackers began transferring their loot to the Tornado Cash transaction obfuscating service right away.
GYM, the protocol’s core native utility and governance token, immediately lost more than half of its value, plummeting from $0.00099 to $0.00048.
The protocol was audited twice, once by PeckShield and once by CertiK. It also makes use of Alpaca Finance’s codebase, which has been audited 20 times.
According to blockchain researcher Kyrian Alex (Kyrian.sol), the GYM Network is far from the only protocol with a similar design flaw.
This isn’t the first time a protocol has been hacked due to a “lack of caller verification.” It appears that I’ll have to investigate a number of these clone protocols in search of the same vulnerability.
The attack was confirmed by team representatives. The vulnerability was disclosed in a new “Claim and Reinvest” instrument deployed two days ago, according to GYM Network’s community coordinator. The team added that, as of press time, the source of the bug had been identified and fixed.
