LAB-12.67%
DeFi
DeFi Protocol DForce Loses $3.6M in Reentrancy Exploit
DForce loses $3.6 million in a reentrancy attack on Arbitrum and Optimism chains.
Editorial disclosureRead more
All reviews, research, news and assessments of any kind on The Tokenist are compiled using a strict editorial review process by our editorial team. Neither our writers nor our editors receive direct compensation of any kind to publish information on tokenist.com. Our company, Tokenist Media LLC, is community supported and may receive a small commission when you purchase products or services through links on our website. Click here for a full list of our partners and an in-depth explanation on how we get paid.
A hacker stole $3.6 million from a DeFi protocol DForce in a reentrancy attack targeting its Arbitrum and Optimism chains. DForce confirmed the attack on Twitter, saying it paused all vaults to avoid further damage.
DForce Pauses All Contracts to Prevent Further Damage
Decentralized finance (DeFi) protocol DForce was exploited for more than $3.6 million after following a reentrancy attack on a Curve vault on Arbitrum and Optimism chains, the DForce team said in a Twitter post on Friday. DForce said it paused all contracts to prevent additional losses, adding that customers’ funds supplied to dForce lending and other vaults were unharmed.
“On Feb 10, our wstETH/ETH Curve vaults on Arbitrum & Optimism were exploited and we immediately paused all vaults. The vulnerability is identified, and the exploit was specific to dForce’s wstETH/ETH-Curve vault. Users’ funds supplied to dForce Lending and other vaults are SAFE.”
– DForce said in a tweet.
In its Twitter post, DForce explained that the exploit happened after the attacker took advantage of a reentrancy vulnerability of the Curve pool “to manipulate the price of wstETH/ETH, leading to the liquidation of 1,031.42 ETH & 30.31 ETH equivalent of wstETH/ETH Curve LP tokens on Arbitrum and Optimum respectively.” Further, the attack also created $2.3 million in protocol debt, DForce added.
The reentrancy vulnerability, which made the exploit possible, occurs when a hacker repeatedly calls a contract and steals its funds before it updates its internal state. This occurs when a contract calls another contract, and the latter contract can call back into the first contract before its first call has been completed.
Join our Telegram group and never miss a breaking digital asset story.
DeFi Remains Hackers’ Soft Target
The attack on DForce occurred two years after the protocol lost $25 million in a major exploit. However, the attacker returned almost all of the stolen funds, roughly $24 million.
Even though much less was stolen in today’s attack, it marks the latest in a series of hacks targeting DeFi, one of the fastest-growing crypto sectors. Late last year, TRM Labs published a research report showing that $3.7 billion was stolen in crypto hacks in 2022, with as much as 80% associated with the DeFi space.
As might be expected, these figures drew regulators’ attention, including the European Commission (EU), which pledged to introduce several new policy changes to improve DeFi oversight. Last month, hackers drained $3.4 million worth of GMX tokens from a DeFi user in a phishing attack.
What should global regulators do to improve overall DeFi security? Let us know in the comments below.
Tim Fries
Tim Fries is the cofounder of The Tokenist. He has a B. Sc. in Mechanical Engineering from the University of Michigan, and an MBA from the University of Chicago Booth School of Business. Tim served as a Senior Associate on the investment team at RW Baird's US Private Equity division, and is also the co-founder of Protective Technologies Capital, an investment firm specializing in sensing, protection and control solutions.
