DeFi Protocol dForce Suffers Reentrancy Vulnerability Attack
In a shocking turn of events, decentralized finance (DeFi) protocol dForce has fallen victim to a reentrancy vulnerability attack that resulted in the loss of crypto assets worth $3.6 million.
Attack Targeted dForce’s Vault on Curve Finance
The attack was aimed at the protocol’s vault on the automated market maker (AMM) platform Curve Finance, which operates on the Arbitrum and Optimism blockchains. The breach was first brought to light by Twitter user @ZoomerAnon, who announced that dForce had lost approximately $1.7 million in a series of flash loan transactions on the Optimism chain. This was later confirmed by blockchain security firm PeckShield, which estimated the total losses to be 2,300 ETH tokens, valued at $3.65 million.
Reentrancy Attack Explained
A reentrancy attack occurs when a malicious actor exploits a bug in a smart contract and repeatedly withdraws funds transferred to an unauthorized contract. In this case, the attacker manipulated the price of wrapped staked ETH in the Curve vault and liquidated several flash loan positions using the wstETHCRV-gauge as collateral. The initial amount, 0.99 ETH, was withdrawn from the DeFi system RAILGUN Project and transferred through Synapse Network to Arbitrum and Optimism. At the time of writing, the funds were still in the attacker’s account.
dForce Takes Action
dForce has confirmed that the attack, which was confined to only its wstETH/ETH-Curve vault, has been contained and all vaults have been paused. The protocol has assured users that funds supplied to other vaults, including lending, are safe. The platform also revealed that the attacker created a $2.3 million protocol debt after liquidating 1,031.42 wstETH/ETH on Arbitrum and Optimum, respectively.
dForce Offers Bounty to the Attacker
In a surprising move, dForce has offered a bounty to the attacker. The details of the bounty have not been disclosed to the public.