Decentralized finance (DeFi) protocol Dough Finance lost $1.8 million in digital assets following a flash loan attack.

On July 12, Web3 security firm Cyvers flagged multiple suspicious transactions, collaborating with lending protocol Aave to check for potential impacts on its pools. Cyvers confirmed that Aave’s pools were not affected.

However, Dough Finance bore the brunt of the attack. Cyvers reported that the attacker used the zero-knowledge (ZK) protocol Railgun to fund their operation, swapping the stolen USD Coin for Ether.

The total amount stolen was 608 ETH, equivalent to approximately $1.8 million.

Olympix, another Web3 security provider, explained that the exploit resulted from unvalidated calldata within the “ConnectorDeleverageParaswap” contract.

The firm elaborated:

“The contract didn’t properly check the data it received during flash loan calls, allowing the attacker to manipulate it for their benefit.”

This vulnerability allowed the attacker to manipulate data and steal the funds.

Olympix warned that depositors in the exploited contract could be affected but reassured that Aave pools remained secure.

READ MORE: Bitcoin Long-Term Holders Remain Resilient Amid Deepest Correction of Current Price Cycle

They advised Dough Finance users to withdraw their funds to secure wallets and to stay alert for updates from the Dough Finance team, avoiding interaction with the protocol until the issue is resolved.

Although Dough Finance’s losses were close to $2 million, the broader crypto space has faced over $1 billion in digital asset losses from various incidents.

On July 3, blockchain security firm CertiK published a report revealing that onchain incidents had already caused $1.19 billion in losses in the first half of 2024.

Phishing attacks and private key compromises were the primary culprits, with phishing attacks alone accounting for nearly $500 million and private key compromises for almost $409 million.

CertiK co-founder Ronghui Gu emphasized the need for enhanced security measures, including multifactor authentication methods such as two-factor authentication (2FA) and security keys, to protect against such substantial losses.

To submit a crypto press release (PR), send an email to sales@cryptointelligence.co.uk.