Decentralized finance (DeFi) protocol dForce suffered a reentrancy vulnerability attack resulting in the loss of $3.6 million in crypto assets.
The attacker targeted the protocol vault on the automated market maker (AMM) platform Curve Finance, which runs on the Arbitrum and Optimism blockchains.
dForce tapped for $3.65 million
The hack was first reported by a Twitter user @ZoomerAnon which announced that dForce had lost approximately $1.7 million in a series of flash loan deals on the Optimism channel. The attack took place later confirmed by blockchain security firm PeckShield, which rounded the total losses to 2,300 ETH tokens ($3.65 million).
The hacker exploited a reentrancy vulnerability present in a smart contract function that dForce uses to obtain oracle prices on Arbitrum and Optimism when connected to Curve.
A reentrancy attack occurs when a malicious actor exploits a bug in a smart contract and repeatedly withdraws funds transferred to an unauthorized contract. Such attacks are publicly known to occur on Curve-related protocols, while the AMM remains intact.
PeckShield further explained that the author manipulated the price of staked ETH wrapped in the Curve vault (wstETHCRV-gauge) and was able to liquidate multiple flash loan positions using the wstETHCRV-gauge as collateral.
The original amount, 0.99 ETH, was withdrawn from the RAILGUN project of the DeFi system and transferred via Synapse Network to Arbitrum and Optimism. At press time, the funds were still in the exploiter’s account.
dForce offers a bounty to the attacker
dForce confirmed that the attack, which was only distinct from its wstETH/ETH-Curve vault, had been contained and all vaults had been disrupted. The protocol assured users that funds provided to other vaults, including loans, were safe.
The platform too disclosed that the exploiter created $2.3 million in protocol debt after liquidating 1,031.42 and wstETH/ETH on Arbitrum and Optimum, respectively.
“We have engaged with security firm @SlowMist_team and our ecosystem partners to further investigate the matter and would like to offer a bounty to the exploiter if the funds are returned. Stay tuned for more updates,” dForce said.
Binance Free $100 (Exclusive): Use this link to sign up and receive $100 free and 10% off Binance Futures fees for the first month (terms).
PrimeXBT Special Offer: Use this link to sign up and enter code POTATO50 to receive up to $7,000 on your deposits.