Hacker Steals $3.6M in dForce Attack, DeFi Protocol Pauses Vaults

13. Februar 2023 Aus Von admin

• dForce suffered a loss of over $3.6 million due to a reentrancy attack executed on the Arbitrum and Optimism chains.
• The attack was due to a vulnerability in a smart contract function that allowed users to calculate oracle prices when connected to Curve Finance.
• DeForce has paused all contracts to prevent additional losses and stated that customer funds remain safe.

Hacker Attack on dForce Protocol Results in Loss of Over $3.6 Million

Vulnerability Exploited on Arbitrum and Optimism Chains

A hacker was able to siphon off $3.6 million worth of cryptocurrency through a reentrancy attack on the dForce DeFi protocol, targeting its vault on Curve Finance, an automated market maker (AMM) platform operating on the Arbitrum and Optimism blockchains. The hack was brought to light by Twitter user @ZoomerAnon who tweeted that dForce had lost around $1.7 million through a series of flash loan transactions executed on the Optimism Chain. Blockchain security firm PeckShield confirmed the attack and put the damages at around 2300 ETH, worth around $3.65 million.

Exploit Involved Manipulation Of Prices On Curve Vault

According to the available details about the attack, the hacker was able to exploit a reentrancy vulnerability that was present in a smart contract function used by dForce to obtain oracle prices from Arbitrum and Optimism. Reentrancy attacks occur when a hacker is able to exploit a bug in a smart contract, allowing them to repeatedly withdraw funds, transferring them to an unauthorized contract. These attacks are known to occur on protocols that are linked to Curve Finance. In this case, the hacker manipulated prices of wrapped staked ETH in Curve’s vault (wstETHCRV-gauge) and liquidated several flash loan positions before transferring them out of dForce’s vault into their own account – where they still remain today.

DeForce Pause All Contracts To Prevent Additional Losses

DeForce has paused all contracts and emphasized that customer funds remain safe despite this incident as they were not targeted by this attack; however they did suffer protocol debt of $2.3 million as part of it which they plan cover using their insurance fund – however if anyone can return these stolen funds back they will offer them an appropriate bounty for doing so..

Conclusion

This is yet another example how important security is for decentralized finance protocols – especially those involved with flash loans which can be easily exploited without prior knowledge or expertise, as we saw here with this particular instance involving wstETH/ETH-Curve vaults operating through Arbitrum & Optimism chains.. As always it’s best practice for everyone involved with such protocols – both end users & developers alike -to stay vigilant & keep up with any potential loopholes or vulnerabilities along way so these kind incidents don’t happen again!