• A hacker was able to siphon off $3.6 million worth of cryptocurrency through a reentrancy attack on the dForce DeFi protocol.
• The attack exploited a vulnerability in a smart contract function used to calculate oracle prices when connected to Curve Finance.
• dForce has paused all contracts and reassured customers that their funds remain safe.
Overview
DeFi protocol dForce suffered a loss of over $3.6 million, which the hacker was able to siphon off thanks to a reentrancy attack executed on the Arbitrum and Optimism chains.
Details Of The Attack
The attack was due to a vulnerability in a smart contract function that allowed users to calculate oracle prices when connected to Curve Finance. Reentrancy attacks occur when a hacker is able to exploit a bug in a smart contract, allowing them to repeatedly withdraw funds, transferring them to an unauthorized contract. These attacks are known to occur on protocols that are linked to Curve Finance. Blockchain security firm PeckShield confirmed the attack and put the damages at around 2300 ETH, worth around $3.65 million.
Reaction From dForce
DeForce also confirmed the attack on its official Twitter handle, adding that it had paused all vaults to avoid additional damage. They have engaged with security firm SlowMist_team and their ecosystem partners including MakerDAO, Compound and Aave for forensic analysis into determining how the attacker accessed user funds as well as developing solutions for future prevention of similar incidents from happening again. Additionally, they offered up an incentive bounty if the attacker returns all stolen funds back into their custody within 48 hours from now (Feb 12).
Safety Of User Funds
dForce has reassured customers that their funds remain safe stating that „users‘ funds supplied to dForce Lending, and other vaults are SAFE.“ Furthermore they have taken action by suspending all services until further notice while they investigate the issue deeper as well as tokenizing assets held by lending pools as collateral against potential losses incurred by this incident so users don’t suffer any financial losses out of this incident either way..
Conclusion
In conclusion, this case is yet another example of why users must be vigilant about using smart contracts and ensure they understand how those contracts work before engaging with them in order for them not get caught up in such events like these ones where millions can be lost in just seconds without even having noticed it until after it’s too late..