The decentralized finance (DeFi) protocol dForce has suffered a re-entry vulnerability attack that has caused the loss of crypto assets worth $3.6 million.
The attacker targeted the protocol vault on the Curve Finance automated market making (AMM) platform, which operates on the Arbitrum and Optimism blockchains.
dForce holding for $3.65 million
The hack was first flagged by a Twitter user. @ZoomerAnon who announced that dForce had lost around $1.7 million in a series of quick loan transactions on the Optimism chain. The attack was later confirmed by blockchain security firm PeckShield, which rounded the total losses to 2,300 ETH tokens ($3.65 million).
The hacker exploited a reentry vulnerability present in a smart contract function that dForce uses to obtain Oracle prices on Arbitrum and Optimism when connected to Curve.
A re-entry attack occurs when a bad actor exploits a bug in a smart contract and repeatedly withdraws funds transferred to an unauthorized contract. Such attacks are publicly known to occur on protocols tied to Curve, while the AMM remains intact.
PeckShield further explained that the perpetrator had manipulated the ETH price wrapped in Curve’s vault (wstETHCRV indicator) and was able to liquidate several flash loan positions using the wstETHCRV indicator as collateral.
The initial amount, 0.99ETH, was withdrawn from the RAILGUN Project DeFi system and transferred via the Synapse Network to Arbitrum and Optimism. At the time of publication, the funds were still in the exploiter’s account.
dForce offers reward to the attacker
dStrength confirmed that the attack, which was distinct only to its wstETH/ETH-Curve vault, had been contained, and all vaults were halted. The protocol assured users that funds supplied to other vaults, including loans, were safe.
the platform too revealed that the operator created a protocol debt of 2.3 million dollars after settling 1,031.42 and wstETH/ETH in Arbitrum and Optimum, respectively.
“We have engaged with security company @SlowMist_team and our ecosystem partners to further investigate the matter and would like to offer a reward to the exploiter if the funds are returned. Stay tuned for more updates,” dForce said.
Binance Free $100 (Exclusive) – Use this link to sign up to receive $100 free and 10% off your first month’s fees for Binance Futures (terms).
PrimeXBT Special Offer – Use this link to sign up and enter the code POTATO50 to receive up to $7,000 on your deposits.
