Dough Finance Protocol: A Victim of a $1.96 Million Flash Loan Attack
On July 12, reports surfaced regarding suspicious activities within the Dough Finance protocol. Cyvers, a Web3 blockchain security platform, detected multiple transactions that raised red flags. Here’s what happened:
- The hacker exploited Dough Finance’s smart contract and managed to loot $1.8 million in USDC.
- Utilizing the zero-knowledge (ZK) protocol Railgun, the attacker converted the pilfered funds into Ethereum (ETH), obtaining 608 ETH initially.
Details on the Attack and Exploitation
Further investigation by Olympix, another Web3 security provider, revealed that the exploit stemmed from a flaw in the ConnectorDeleverageParaswap contract. The issue arose from the contract’s failure to verify the flash loan calls data, allowing the attacker to manipulate the data and transfer the funds to an Externally Owned Account (EAO).
- The unverified calldata opened the gateway for the exploiter to tamper with the contract’s information and divert the funds.
- Subsequently, another round of attacks targeted Dough Finance, resulting in an additional loss of $141,000 in USDC.
Implication and Response
With the cumulative sum of the theft reaching $1.96 million, Dough Finance took immediate action to mitigate the aftermath:
- Although the incident exposed vulnerabilities within the protocol, lending platform Aave’s pools remained unscathed.
- The DeFi community expressed concerns over scammers targeting vulnerable projects on the decentralized finance landscape.
Scammers on the Prowl: A Rising Concern in DeFi
Following the breach, Dough Finance acknowledged the attack and urged its users to withdraw any remaining funds from the protocol. The immediate response led to:
- Identifying and closing the loophole that allowed the unauthorized access to the funds.
- Assurance from the protocol’s team of ongoing efforts to rectify the situation, recover the stolen funds, and ensure stakeholders’ protection.
Engagement with the Attacker and Mitigation Strategy
Reports emerged of Dough Finance reaching out to the exploiter, offering a potential resolution through collaboration and an ultimatum:
- The team sought direct engagement with the attacker, presenting an opportunity for an amicable resolution.
- An established deadline was set for the exploiter to respond before escalating the matter through legal channels.
Industry Vulnerability to Scams
The DeFi sector faces ongoing threats from scammers, evident through recent attacks on various projects like Compound Finance:
- Phishing attempts and DNS domain attacks have jeopardized the integrity of DeFi projects, exposing users to financial risks.
- Advisories cautioning users to refrain from interacting with suspicious websites have become commonplace, aiming to protect investors from potential losses.
Hot Take: Upholding Integrity Amidst DeFi Vulnerability
Another DeFi protocol fell victim to an exploit on Friday morning. Dough Finance, an open-source protocol to create non-custodial liquidity markets, suffered a flash loan attack that took nearly $2 million in user funds. The project’s team announced they are working to resolve the situation promptly.
By
By
By
