Decentralized finance (DeFi) protocol dForce has suffered a reentrancy vulnerability attack leading to the loss of $3.6 million worth of crypto assets.
The attacker targeted the protocol’s vault on the automated market maker (AMM) platform Curve Finance, which operates on the Arbitrum and Optimism blockchains.
The hack was first flagged by Twitter user @ZoomerAnon who announced that dForce had lost about $1.7 million in a series of flash loan transactions on the Optimism chain. The attack was later confirmed by blockchain security firm PeckShield, which rounded the total losses to 2,300 ETH tokens ($3.65 million).
The hacker exploited a reentrancy vulnerability present in a smart contract function that dForce uses to obtain oracle prices on Arbitrum and Optimism when connected to Curve.
A reentrancy attack occurs when a bad actor exploits a bug in a smart contract and repeatedly withdraws funds transferred to an unauthorized contract. Such attacks are publicly known to occur on protocols linked to Curve, while the AMM remains untouched.
PeckShield further explained that the perpetrator had manipulated the price of wrapped staked ETH in the Curve vault (wstETHCRV-gauge) and was able to liquidate several flash loan positions using the wstETHCRV-gauge as collateral.
The initial amount, 0.99ETH, was withdrawn from the DeFi system RAILGUN Project and transferred through Synapse Network to Arbitrum and Optimism. At press time, the funds were still sitting in the exploiter’s account.
dForce confirmed that the attack, which was distinct to only its wstETH/ETH-Curve vault, had been contained, and all vaults paused. The protocol assured users that funds supplied to other vaults, including lending, were safe.
The platform also disclosed that the exploiter created a $2.3 million protocol debt after liquidating 1,031.42 and wstETH/ETH on Arbitrum and Optimum, respectively.
“We have engaged with security firm @SlowMist_team and our ecosystem partners to further investigate the matter and would like to offer a bounty to the exploiter if the funds were returned. Stay tuned for further updates,” dForce said.
The post DeFi Protocol dForce Loses $3.6M in Reentrancy Attack appeared first on CryptoPotato.
Blog powered by G6
Disclaimer! A guest author has made this post. G6 has not checked the post. its content and attachments and under no circumstances will G6 be held responsible or liable in any way for any claims, damages, losses, expenses, costs or liabilities whatsoever (including, without limitation, any direct or indirect damages for loss of profits, business interruption or loss of information) resulting or arising directly or indirectly from your use of or inability to use this website or any websites linked to it, or from your reliance on the information and material on this website, even if the G6 has been advised of the possibility of such damages in advance.
For any inquiries, please contact [email protected]