• dForce suffered a loss of over $3.6 million due to a reentrancy attack executed on the Arbitrum and Optimism chains.
• The attack was due to a vulnerability in a smart contract function that allowed users to calculate oracle prices when connected to Curve Finance.
• DeForce has paused all contracts to prevent additional losses and stressed that customer funds remain safe.
Reentrancy Attack Suffers dForce Loss of Over $3.6 Million
A hacker was able to siphon off $3.6 million worth of cryptocurrency through a reentrancy attack on the dForce DeFi protocol, which targeted the protocols vault on Curve Finance – an automated market maker (AMM) platform operating on the Arbitrum and Optimism blockchains.
Vulnerability In Smart Contract Function
The hack was brought to light by Twitter user @ZoomerAnon who tweeted that dForce had lost around $1.7 million through a series of flash loan transactions executed on the Optimism Chain. Blockchain security firm PeckShield confirmed the attack and put the damages at around 2300 ETH, worth around $3.65 million. It was determined that the hacker was able to exploit a reentrancy vulnerability present in a smart contract function used by dForce to obtain oracle prices from Arbitrum and Optimism chains, allowing them to repeatedly withdraw funds, transferring them to an unauthorized contract.
dForce’s Response
DeForce also confirmed the attack on its official Twitter handle, adding that it had paused all vaults in order to avoid additional damage: „On Feb 10, our wstETH/ETH Curve vaults on Arbitrum & Optimism were exploited, and we immediately paused all vaults.“ They also added that users‘ funds supplied for their lending services were still safe from harm.
Protocol Debt Created By Hacker
The hacker had created a protocol debt of $2.3 million according to DeForce’s response tweet and they offered up a bounty if the funds were returned successfully as well as promising further updates alongside more details soon after they conducted their own internal investigations into what happened exactly during this incident: „We have engaged with security firm @SlowMist_team and our ecosystem partners for investigation.“
Conclusion
In conclusion, DeForce has responded swiftly following this incident, pausing all vaults in order to prevent any additional losses while assuring customers that their funds are still secure with them despite this unfortunate event happening despite their best efforts at preventing such scenarios from occurring in the first place given how volatile cryptocurrency markets can be at times when it comes down trading digital assets online nowadays these days across decentralized finance platforms like DeFi .