DeFi protocol dForce suffered a loss of over $3.6 million, which the hacker was able to siphon off thanks to a reentrancy attack executed on the Arbitrum and Optimism chains.
The attack was due to a vulnerability in a smart contract function that allowed users to calculate oracle prices when connected to Curve Finance.
Over $3.6 Million Lost
A hacker was able to siphon off $3.6 million worth of cryptocurrency through a reentrancy attack on the dForce DeFi protocol. The hacker was able to target the protocol’s vault on Curve Finance, an automated market maker (AMM) platform operating on the Arbitrum and Optimism blockchains. The hack was brought to light by Twitter user @ZoomerAnon who tweeted that dForce had lost around $1.7 million through a series of flash loan transactions executed on the Optimism Chain. Blockchain security firm PeckShield confirmed the attack and put the damages at around 2300 ETH, worth around $3.65 million.
DeForce also confirmed the attack on its official Twitter handle, adding that it had paused all vaults to avoid additional damage.
“On Feb 10, our wstETH/ETH Curve vaults on Arbitrum & Optimism were exploited, and we immediately paused all vaults. The vulnerability is identified, and the exploit was specific to dForce’s wstETH/ETH-Curve vault. Users’ funds supplied to dForce Lending, and other vaults are SAFE.”
Details Of The Attack
According to the available details about the attack, the hacker was able to exploit a reentrancy vulnerability that was present in a smart contract function used by dForce to obtain oracle prices from Arbitrum and Optimism. Reentrancy attacks occur when a hacker is able to exploit a bug in a smart contract, allowing them to repeatedly withdraw funds, transferring them to an unauthorized contract. These attacks are known to occur on protocols that are linked to Curve Finance.
Blockchain security firm PeckShield explained that in the case of this attack, the hacker was able to manipulate the price of wrapped staked ETH in Curve’s vault (wstETHCRV-gauge) and liquidate several flash loan positions. So far, the funds are still sitting in the hacker’s account. DeForce has paused all contracts to prevent additional losses to the protocol and stressed that customer funds remain safe. DeForce also stated that the attacker had created a protocol debt of $2.3 million and also added that they would offer the attacker a bounty if the funds were returned.
“We have engaged with security firm @SlowMist_team and our ecosystem partners to further investigate the matter and would like to offer a bounty to the exploiter if the funds were returned. Stay tuned for further updates.”
Is DeFi A Soft Target?
The latest attack on dForce occurred two years after the protocol lost $25 million in a major attack on the protocol. However, the attacker returned nearly all of the stolen funds. While the most recent attack saw a significantly smaller amount stolen, it is the latest in a long line of attacks targeting the DeFi ecosystem, which is one of the fastest-growing ecosystems in crypto. According to a report published by TRM Labs, over $3.7 billion were lost due to crypto hacks in 2022, with over 80% of that number from DeFi exploits.
The spate of hacks and the tremendous losses reported have obviously attracted the attention of regulators, which includes the European Union. Regulators have pledged to work towards introducing new policy changes to help improve DeFi oversight by regulatory bodies.
Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.