Overview
Granary Finance launched as an Aave v2 fork with ambitions to become a multi-chain lending protocol. The project deployed across multiple EVM chains including Ethereum, Optimism, Arbitrum, Fantom, and Base. Granary's value proposition was straightforward: bring proven Aave-style lending to chains where Aave itself hadn't deployed, capturing early DeFi demand on emerging networks.
The protocol operated with moderate TVL across its multi-chain deployments. The GRAIN token provided governance and incentive mechanisms. Granary attracted users looking for lending yields on newer L2s and alt-L1s.
In November 2023, Granary Finance was exploited for approximately $5 million. The attack exploited a reentrancy vulnerability in Granary's custom code modifications — specifically in the reward claiming mechanism that was not part of the original Aave v2 codebase. The exploit drained funds from multiple chain deployments. The irony is devastating: the base Aave v2 code was secure, but Granary's modifications to it introduced the fatal vulnerability.
Smart Contracts
The base Aave v2 lending architecture is well-proven. However, Granary's modifications — particularly the reward distribution system and custom periphery contracts — were where the vulnerability lived. The reentrancy exploit targeted code that the Granary team added on top of Aave v2's core lending logic. This is a common pattern in DeFi fork exploits: the original code is safe, but modifications made by a smaller, less-resourced team introduce new attack vectors. Granary's smart contract score reflects that the core lending logic was inherited and sound, but the custom additions failed catastrophically.
Security
Granary's security failed in the most important test: it was exploited. The ~$5 million loss via reentrancy — one of the oldest and most well-known smart contract vulnerabilities — indicates inadequate security review of custom code. Reentrancy attacks have been understood since the 2016 DAO hack. That a DeFi protocol deployed in 2022-2023 could be exploited via reentrancy in its custom code suggests either insufficient auditing, ignored audit findings, or modifications made post-audit without re-review. The multi-chain deployment amplified the damage, as the same vulnerable code existed across multiple networks.
Risk Management
Granary inherited Aave v2's risk parameters but the protocol-level risk management — ensuring the safety of its own custom code — was inadequate. The multi-chain deployment strategy multiplied risk exposure without proportionally increasing security resources. Each chain deployment was an additional attack surface. The protocol's risk management of lending parameters (LTV, liquidation thresholds) was reasonable, inheriting Aave's proven framework. But that's irrelevant when the protocol itself gets drained through a code vulnerability.
Adoption
Pre-exploit, Granary had moderate adoption across its multi-chain deployments. Post-exploit, adoption collapsed. Users who lost funds left, and the trust damage makes recovery extremely unlikely. The GRAIN token's value crashed. Remaining TVL, if any, represents either trapped capital or users unaware of the exploit risk. For practical purposes, Granary Finance is dead as a viable protocol.
Tokenomics
GRAIN was the governance and incentive token. Post-exploit, GRAIN is essentially worthless. The token was distributed through liquidity mining and was used for governance voting. Whatever tokenomics design existed is irrelevant now — the token has no protocol to govern and no meaningful value to capture.
Risk Factors
- EXPLOITED: ~$5M drained via reentrancy attack on custom code
- Custom code risk: Modifications to proven Aave v2 code introduced the vulnerability
- Multi-chain amplification: Same vulnerable code deployed across multiple networks
- Reentrancy in 2023: One of the most basic, well-known vulnerabilities
- No meaningful recovery: Protocol is effectively dead post-exploit
- Fork risk exemplified: Demonstrates that forking safe code doesn't guarantee safety
Conclusion
Granary Finance is a textbook case study in DeFi fork risk. The lesson is clear: forking battle-tested code (Aave v2) does not make your protocol safe if your modifications introduce new vulnerabilities. The base Aave v2 lending code worked perfectly — it was Granary's custom reward mechanism that contained the reentrancy flaw. This ~$5 million exploit destroyed a multi-chain lending protocol and wiped out its token value. The 1.4 score reflects a protocol that was exploited, is effectively dead, and serves primarily as a cautionary tale for other DeFi forks. Every team that forks Aave, Compound, or Uniswap should study Granary's failure.