Decentralized finance (DeFi) protocol dForce has suffered a reentrancy vulnerability attack leading to the loss of $3.6 million worth of crypto assets.
The attacker targeted the protocol’s vault on the automated market maker (AMM) platform Curve Finance, which operates on the Arbitrum and Optimism blockchains.
dForce Exploited for $3.65M
The hack was first flagged by Twitter user @ZoomerAnon who announced that dForce had lost about $1.7 million in a series of flash loan transactions on the Optimism chain. The attack was later confirmed by blockchain security firm PeckShield, which rounded the total losses to 2,300 ETH tokens ($3.65 million).
The hacker exploited a reentrancy vulnerability present in a smart contract function that dForce uses to obtain oracle prices on Arbitrum and Optimism when connected to Curve.
A reentrancy attack occurs when a bad actor exploits a bug in a smart contract and repeatedly withdraws funds transferred to an unauthorized contract. Such attacks are publicly known to occur on protocols linked to Curve, while the AMM remains untouched.
PeckShield further explained that the perpetrator had manipulated the price of wrapped staked ETH in the Curve vault (wstETHCRV-gauge) and was able to liquidate several flash loan positions using the wstETHCRV-gauge as collateral.
The initial amount, 0.99ETH, was withdrawn from the DeFi system RAILGUN Project and transferred through Synapse Network to Arbitrum and Optimism. At press time, the funds were still sitting in the exploiter’s account.
dForce Offers Bounty to the Attacker
dForce confirmed that the attack, which was distinct to only its wstETH/ETH-Curve vault, had been contained, and all vaults paused. The protocol assured users that funds supplied to other vaults, including lending, were safe.
The platform also disclosed that the exploiter created a $2.3 million protocol debt after liquidating 1,031.42 and wstETH/ETH on Arbitrum and Optimum, respectively.
“We have engaged with security firm @SlowMist_team and our ecosystem partners to further investigate the matter and would like to offer a bounty to the exploiter if the funds were returned. Stay tuned for further updates,” dForce said.
Binance Free $100 (Exclusive): Use this link to register and receive $100 free and 10% off fees on Binance Futures first month (terms).
PrimeXBT Special Offer: Use this link to register & enter POTATO50 code to receive up to $7,000 on your deposits.
Read More
Today, the world of decentralized finance (DeFi) was shook with news of a serious security breach in the dForce protocol.
dForce is a cryptocurrency-based platform designed to enable developers to mint loan-backed stablecoins and create yield-bearing debt pools. It raised $3.6M in a token presale led by major investors such as Metastable and Hashed Ventures prior to the launch of its mainnet in early April 2020.
Unfortunately, hackers exploited a reentrancy attack that allowed them to drain a large sum of funds from the protocol. As a result, dForce lost around $3.6M worth of assets. This is a significant sum to have been stolen, especially given its level of backing from renowned investors and the fact that it was only recently launched.
In response to this unfortunate event, dForce has released a statement apologizing to its customers and the community. They also state that they are actively looking into the matter and identifying the hackers involved, as well as attempting to make compensation for the stolen funds. It is reassuring that dForce is taking the matter seriously and attempting to rectify the situation, however the gravity of this hack cannot be underestimated.
The dForce hack is a serious security warning to the rest of the DeFi world, as it starkly shines a light on the vulnerabilities of DeFi protocols. At this current moment, DeFi protocols are still relatively new and as such issues such as this are to be expected. It is, therefore, imperative that these protocols ensure rigorous security measures and transparency to the public to ensure that their protocols can be deemed trust worthy.
The dForce hack should, therefore, act as a reminder to all DeFi players that security must take precedence and protocols need to have multiple levels of security and backup systems so that any future hacks like this can be avoided.
