DeFi Protocol dForce suffers $3.6 million exploit

Key Takeaways:

• dForce’s wstETH/ETH Curve vaults on Arbitrum and Optimism were manipulated, and the protocol instantaneously suspended all vaults.

• The flaw has been discovered, and only dForce’s wstETH/ETH-Curve vault was targeted by the exploit.

An attack on dForce, an Integrated Platform for DeFi Protocols, resulted in a loss of almost $3.65 million. The automated market maker (AMM) platform Curve Finance, which uses the Arbitrum and Optimism blockchains, was the target of the hack.

In a series of flash lending transactions on the Optimism network, dForce lost around $1.7 million, according to tweeter @ZoomerAnon, who initially reported the theft. Later, blockchain security company PeckShield confirmed the hack, rounding up the losses to 2,300 ETH tokens ($3.65 million).

Looks like $1.7m+ @dForcenet flash loan exploit… Anyone else see this? No info in Discord or elsewherehttps://t.co/TWB084nFFS pic.twitter.com/Aq7VDpHOBe

— Zoomer (@ZoomerAnon) February 10, 2023

1/ @dForcenet was exploited in a flurry of txs on Arbitrum & Optimism (one hack tx: https://t.co/htCZcVXvYJ), leading to the total gain of ~$3.65m for the exploiter. https://t.co/PEzoX1emdp

— PeckShield Inc. (@peckshield) February 10, 2023

The protocol also informed users of the hack and provided information regarding the suspension of any vaults that had been targeted.

To further explore the situation, dForce has contacted the security company @SlowMist team and its ecosystem partners. If the funds were recovered, dForce would like to provide a bounty to the exploiter.

The hack has been recognized as a “The Reentrancy attack” and is the most damaging assault on the Solidity smart contract

The reentrancy attack happens when an evildoer takes advantage of a flaw in a smart contract to withdraw money that was sent to an unapproved contract repeatedly. In this instance, the attacker was able to liquidate numerous flash loan positions by using the wstETHCRV-gauge as collateral by manipulating the price of wrapped staked ETH in the Curve vault (wstETHCRV-gauge).

According to reports, the hackers were able to take a total of 1,236.65 ETH, 719,437 USX, and 1,037,492 USDC from dForce users on the Arbitrum and Optimism platforms.

The dForce vaults were immediately suspended after they discovered the problems a few hours earlier in order to contain the problem. They did point out that many other components of the protocol are still in use and that the money is being handled securely in dForce Lending. However, at the time of this post, dForce had not covered all the specifics of the attack.

DeFi protocols have not had a good start this year as many continue to grapple with privacy-related vulnerabilities. Everlend Finance, a protocol based in Solana, was recently discontinued, and users have been advised to remove their assets.