DeFi Protocol DForce Loses $3.6M in Reentrancy Exploit

A hacker stole $3.6 million from a DeFi protocol DForce in a reentrancy attack targeting its Arbitrum and Optimism chains. DForce confirmed the attack on Twitter, saying it paused all vaults to avoid further damage.

DForce Pauses All Contracts to Prevent Further Damage

Decentralized finance (DeFi) protocol DForce was exploited for more than $3.6 million after following a reentrancy attack on a Curve vault on Arbitrum and Optimism chains, the DForce team said in a Twitter post on Friday. DForce said it paused all contracts to prevent additional losses, adding that customers’ funds supplied to dForce lending and other vaults were unharmed.

“On Feb 10, our wstETH/ETH Curve vaults on Arbitrum & Optimism were exploited and we immediately paused all vaults. The vulnerability is identified, and the exploit was specific to dForce’s wstETH/ETH-Curve vault. Users’ funds supplied to dForce Lending and other vaults are SAFE.”

– DForce said in a tweet.

In its Twitter post, DForce explained that the exploit happened after the attacker took advantage of a reentrancy vulnerability of the Curve pool “to manipulate the price of wstETH/ETH, leading to the liquidation of 1,031.42 ETH & 30.31 ETH equivalent of wstETH/ETH Curve LP tokens on Arbitrum and Optimum respectively.” Further, the attack also created $2.3 million in protocol debt, DForce added.

The reentrancy vulnerability, which made the exploit possible, occurs when a hacker repeatedly calls a contract and steals its funds before it updates its internal state. This occurs when a contract calls another contract, and the latter contract can call back into the first contract before its first call has been completed.

Join our Telegram group and never miss a breaking digital asset story.

DeFi Remains Hackers’ Soft Target

The attack on DForce occurred two years after the protocol lost $25 million in a major exploit. However, the attacker returned almost all of the stolen funds, roughly $24 million.

Even though much less was stolen in today’s attack, it marks the latest in a series of hacks targeting DeFi, one of the fastest-growing crypto sectors. Late last year, TRM Labs published a research report showing that $3.7 billion was stolen in crypto hacks in 2022, with as much as 80% associated with the DeFi space.

As might be expected, these figures drew regulators’ attention, including the European Commission (EU), which pledged to introduce several new policy changes to improve DeFi oversight. Last month, hackers drained $3.4 million worth of GMX tokens from a DeFi user in a phishing attack.

What should global regulators do to improve overall DeFi security? Let us know in the comments below.