Decentralized finance (DeFi) protocol dForce has suffered a reentrancy vulnerability attack leading to the loss of .6 million worth of crypto assets. The attacker targeted the protocol’s vault on the automated market maker (AMM) platform Curve Finance, which operates on the Arbitrum and Optimism blockchains. dForce Exploited for .65M The hack was first flagged by Twitter user @ZoomerAnon who announced that dForce had lost about .7 million in a series of flash loan transactions on the Optimism chain. The attack was later confirmed by blockchain security firm PeckShield, which rounded the total losses to 2,300 ETH tokens (.65 million). The hacker exploited a reentrancy vulnerability present in a smart contract function that dForce uses to obtain oracle prices on
Topics:
Mandy Williams considers the following as important: AA News, Hacking
This could be interesting, too:
Wayne Jones writes dYdX CEO Declares 35% Workforce Reduction
Chayanika Deka writes Former FTX’s Head of Engineering Nishad Singh Dodges Prison
Mandy Williams writes Aave Sees 0M Weekly Increase in cbBTC Inflows, But There’s a Catch
Wayne Jones writes MrBeast Linked to Over 50 Crypto Wallets Allegedly Involved in Insider Trading: Report
Decentralized finance (DeFi) protocol dForce has suffered a reentrancy vulnerability attack leading to the loss of $3.6 million worth of crypto assets.
The attacker targeted the protocol’s vault on the automated market maker (AMM) platform Curve Finance, which operates on the Arbitrum and Optimism blockchains.
dForce Exploited for $3.65M
The hack was first flagged by Twitter user @ZoomerAnon who announced that dForce had lost about $1.7 million in a series of flash loan transactions on the Optimism chain. The attack was later confirmed by blockchain security firm PeckShield, which rounded the total losses to 2,300 ETH tokens ($3.65 million).
The hacker exploited a reentrancy vulnerability present in a smart contract function that dForce uses to obtain oracle prices on Arbitrum and Optimism when connected to Curve.
A reentrancy attack occurs when a bad actor exploits a bug in a smart contract and repeatedly withdraws funds transferred to an unauthorized contract. Such attacks are publicly known to occur on protocols linked to Curve, while the AMM remains untouched.
PeckShield further explained that the perpetrator had manipulated the price of wrapped staked ETH in the Curve vault (wstETHCRV-gauge) and was able to liquidate several flash loan positions using the wstETHCRV-gauge as collateral.
The initial amount, 0.99ETH, was withdrawn from the DeFi system RAILGUN Project and transferred through Synapse Network to Arbitrum and Optimism. At press time, the funds were still sitting in the exploiter’s account.
dForce Offers Bounty to the Attacker
dForce confirmed that the attack, which was distinct to only its wstETH/ETH-Curve vault, had been contained, and all vaults paused. The protocol assured users that funds supplied to other vaults, including lending, were safe.
The platform also disclosed that the exploiter created a $2.3 million protocol debt after liquidating 1,031.42 and wstETH/ETH on Arbitrum and Optimum, respectively.
“We have engaged with security firm @SlowMist_team and our ecosystem partners to further investigate the matter and would like to offer a bounty to the exploiter if the funds were returned. Stay tuned for further updates,” dForce said.