• dForce suffered a loss of over $3.6 million due to a reentrancy attack executed on the Arbitrum and Optimism chains.
• The attack was due to a vulnerability in a smart contract function connected to Curve Finance.
• dForce has paused all contracts, stressed that customer funds remain safe, and offered the attacker a bounty if the funds were returned.

Overview of Attack on dForce

DeFi protocol dForce suffered a loss of over $3.6 million, which the hacker was able to siphon off thanks to an exploit on the Arbitrum and Optimism blockchains.

Vulnerability Exploited

The attack was due to a vulnerability in a smart contract function connected to Curve Finance that allowed users to calculate oracle prices when connected to Curve Finance. The hack was brought to light by Twitter user @ZoomerAnon who tweeted that dForce had lost around $1.7 million through flash loan transactions executed on the Optimism Chain. Blockchain security firm PeckShield confirmed the attack and put the damages at around 2300 ETH, worth around $3.65 million.

Action Taken by dForce

DeForce also confirmed the attack on its official Twitter handle, adding that it had paused all vaults to avoid additional damage. So far, the funds are still sitting in the hacker’s account and DeForce has paused all contracts to prevent additional losses as well as stressing that customer funds remain safe. DeForce also stated that they would offer up a bounty if the stolen funds were returned.

Details Of The Attack

According to available details about the attack, hackers were able exploit reentrancy vulnerability present in a smart contract function used by dForce for obtaining oracle prices from Arbitrum and Optimism blockchains using flash loans from Curve’s vault (wstETHCRV-gauge). Reentrancy attacks occur when hackers are able manipulate bugs in smart contracts allowing them repeatedly withdraw funds transferring them into unauthorized contracts .

Conclusion

In conclusion, blockchain security firm PeckShield confirmed that an attacker had siphoned off $3.6 Million worth of cryptocurrency through exploitation of vulnerabilities present within smart contract functions linked with Curve finance on Arbitrum & Optimism chain resulting in Dforce confirming via their twitter handle & offering up bounty if stolen funds are returned while pausing all vaults & stressing customer’s fund remain safe