Key Points:
The Arbitrum and Optimism chains were the targets of a reentrancy attack that cost the DForce DeFi protocol $3.6 million.
When connected to Curve Finance, a smart contract function used to determine oracle pricing had a weakness that led to the attack.
An apparent reentrancy attack on a Curve vault that the decentralized finance (DeFi) protocol dForce ran on the Arbitrum and Optimism blockchains resulted in the theft of more than $3.6 million.
In a recent tweet, the DeFi initiative acknowledged the situation and added that it had halted its contracts to limit additional harm.
On Feb 10, our wstETH/ETH Curve vaults on Arbitrum & Optimism were exploited and we immediately paused all vaults. The vulnerability is identified, and the exploit was specific to dForce's wstETH/ETH-Curve vault. Users' funds supplied to dForce Lending and other vaults are SAFE.
— dForce (@dForcenet) February 10, 2023
A reentrancy vulnerability, which can happen when an attacker repeatedly calls a smart contract function and pulls assets from it before the contract updates its internal state, appears to have made the attack possible. This may occur if the smart contract code contains a defect or if adequate security measures are not taken.
Following the thread, dForce stated that the price of wstETH/ETH was manipulated by the exploiter using a Curve pool reentrancy flaw, which resulted in the liquidation of 1,031.42 ETH and 30.31 ETH equivalent of wstETH/ETH Curve LP tokens on Arbitrum and Optimum, respectively. It also produced $2.3 million in protocol debt.
The hack caused around $3.6 million in total damages, according to BlockSec and PeckShield, two top crypto security companies.
The estimated loss of today's @dForcenet hack is ~$3.65M (w/ 1,236.65 ETH + 719,437 USX on @arbitrum and 1,037,492 USDC on @optimismFND). Our initial analysis shows the root cause is an oracle price issue. More details to come! https://t.co/PEzoX1emdp pic.twitter.com/tI9BPcfvWH
— PeckShield Inc. (@peckshield) February 10, 2023
When connected to Curve Finance, dForce employed a smart contract function that had the reentrancy bug to determine oracle prices on the Arbitrum and Optimism chains.
When linked to Curve, any protocol can call the particular function, known as “get_virtual_price,” which provides an approximated oracle price. It is used to figure out how much the liquidity pool token will cost.
According to The Block, Matthew Jiang, director of security services at BlockSec, said that any protocol using the “get_virtual_price” function to calculate the price oracle is vulnerable, including dForce.
Projects need to be more cautious and take additional steps while estimating oracle prices, as they can be manipulated by malicious actors to carry out reentrancy attacks.
DISCLAIMER: The Information on this website is provided as general market commentary and does not constitute investment advice. We encourage you to do your research before investing.
Join us to keep track of news: https://linktr.ee/coincu
Thana
Coincu News