Hacker Steals $3.6M in Attack on DeFi Protocol dForce13. Februar 2023
• dForce DeFi protocol suffered a loss of over $3.6 million due to a reentrancy attack executed on the Arbitrum and Optimism chains.
• The attack exploited a vulnerability in a smart contract function connected to Curve Finance that allowed users to calculate oracle prices.
• dForce has paused all contracts to prevent additional losses and has engaged with security firm Slow Mist for investigation.
dForce Suffers $3.6 Million Loss In Reentrancy Attack
DeFi protocol dForce recently suffered a devastating loss of over $3.6 million, which the hacker was able to siphon off thanks to an exploit present in its smart contract function on the Arbitrum and Optimism blockchains.
Exploit On Smart Contract Function
The attack was discovered by Twitter user @ZoomerAnon who tweeted that around $1.7 million had been lost through flash loan transactions executed on the Optimism Chain. Blockchain security firm PeckShield confirmed the attack, claiming that 2300 ETH worth around $3.65 million had been stolen from the protocol’s vault operating on Curve Finance, an automated market maker (AMM) platform .
Vulnerability Identified And Paused Contracts
dForce immediately identified the vulnerability and paused all vaults to avoid additional damage, confirming the news on their official Twitter handle: „The vulnerability is identified, and the exploit was specific to dForce’s wstETH/ETH-Curve vault“. They further assured users that funds supplied for lending were safe since these were not affected by this incident.
Details Of The Attack
Investigations have revealed that this reentrancy attack was enabled by a bug in a smart contract function used by dForce when connected to Curve Finance which allowed hackers to repeatedly withdraw funds and transfer them out of an unauthorized contract. The attacker manipulated prices of wrapped staked ETH within Curve’s vault (wstETHCRV-gauge) before liquidating several flash loan positions with it, leaving behind an account with all funds still intact within it so far as per reports released by blockchain security firm PeckShield regarding this incident.
Protocol Debt & Bounty Offered To Hacker
In response, dForce created a protocol debt of approximately $2.3 million as compensation for victims while also offering attackers a bounty if they return all stolen funds – something which hasn’t happened yet since investigations are still underway led by blockchain security firm SlowMist who were contacted for assistance shortly after discovery of this hack.