Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 086Reentrancy

Revest Finance FNFT Reentrancy

$2M drained from Revest Finance via a reentrancy in mintAddressLock/depositAdditionalToFNFT that let the attacker mint over-valued NFTs and redeem them.

Date
Victim
Revest Finance
Chain(s)
Ethereum
Status
Funds Stolen

On March 27, 2022, Revest Finance — a protocol for "financial NFTs" (FNFTs) that tokenise time-locked or structured token positions — lost approximately $2 million to a reentrancy attack in its FNFT minting path. The attacker minted FNFTs representing more value than they deposited, then redeemed them for the protocol's reserves.

What happened

Revest's FNFTs represent claims on deposited tokens (vesting positions, locked tokens, structured products). The minting/deposit flow tracked each FNFT's underlying balance.

The fatal flaw was a reentrancy in the depositAdditionalToFNFT / mint path: the function transferred tokens and updated FNFT accounting in an order that allowed the token transfer's callback to re-enter the minting logic before the accounting settled.

The attack:

  1. Used a token (or path) that triggered a callback during the deposit transfer.
  2. Re-entered the FNFT mint/deposit function mid-operation, before the first deposit's accounting was finalised.
  3. The reentrant calls credited the attacker's FNFT with more underlying value than was actually deposited — the classic "balance updated after external call" reentrancy.
  4. Redeemed the over-valued FNFTs for the protocol's real token reserves.
  5. Walked with ~$2M, laundered through Tornado Cash.

Aftermath

  • Revest Finance paused the protocol and published a post-mortem.
  • A compensation plan was proposed; recovery from the attacker was minimal.
  • The protocol's standing was significantly damaged; FNFTs as a category did not gain mainstream traction afterward.

Why it matters

Revest Finance is another entry in the deposit-path reentrancy lineage that runs through the entire catalogue — The DAO (2016), Cream AMP (2021), Grim Finance (2021), Voltage Finance (2022), Penpie (2024). The recurring shape: a function transfers tokens and updates internal accounting, the transfer can trigger a callback, and the callback re-enters before the accounting settles — violating the invariant the protocol's solvency depends on.

The structural lesson is the oldest in smart-contract security and the most-repeated: checks-effects-interactions, plus a reentrancy guard on every state-mutating path that makes external calls, without exceptions. Revest's loss was comparatively small ($2M), but it's a clean instance of a protocol introducing a novel primitive (financial NFTs) and recreating the conditions for the single most foundational Solidity bug while doing so. Every new abstraction layer is a fresh opportunity to reintroduce reentrancy — the attack surface doesn't shrink as the ecosystem matures, it just moves to wherever the newest code is.

Sources & on-chain evidence

  1. [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-revest-finance-hack-march-2022
  2. [02]therecord.mediahttps://therecord.media/2-million-stolen-from-defi-protocol-revest-finance-platform-unable-to-reimburse-victims
  3. [03]rekt.newshttps://rekt.news/revest-finance-rekt

Related filings