Decentralized finance (DeFi) protocol dForce has suffered a reentrancy vulnerability attack leading to the loss of $3.6 million worth of crypto assets.

The attacker targeted the protocol’s vault on the automated market maker (AMM) platform Curve Finance, which operates on the Arbitrum and Optimism blockchains.

dForce Exploited for $3.65M 

The hack was first flagged by Twitter user @ZoomerAnon who announced that dForce had lost about $1.7 million in a series of flash loan transactions on the Optimism chain. The attack was later confirmed by blockchain security firm PeckShield, which rounded the total losses to 2,300 ETH tokens ($3.65 million).

The hacker exploited a reentrancy vulnerability present in a smart contract function that dForce uses to obtain oracle prices on Arbitrum and Optimism when connected to Curve.

A reentrancy attack occurs when a bad actor exploits a bug in a smart contract and repeatedly withdraws funds transferred to an unauthorized contract. Such attacks are publicly known to occur on protocols linked to Curve, while the AMM remains untouched.

PeckShield further explained that the perpetrator had manipulated the price of wrapped staked ETH in the Curve vault (wstETHCRV-gauge) and was able to liquidate several flash loan positions using the wstETHCRV-gauge as collateral.

The initial amount, 0.99ETH, was withdrawn from the DeFi system RAILGUN Project and transferred through Synapse Network to Arbitrum and Optimism. At press time, the funds were still sitting in the exploiter’s account.

dForce Offers Bounty to the Attacker

dForce confirmed that the attack, which was distinct to only its wstETH/ETH-Curve vault, had been contained, and all vaults paused. The protocol assured users that funds supplied to other vaults, including lending, were safe.

The platform also disclosed that the exploiter created a $2.3 million protocol debt after liquidating 1,031.42 and wstETH/ETH on Arbitrum and Optimum, respectively.

“We have engaged with security firm @SlowMist_team and our ecosystem partners to further investigate the matter and would like to offer a bounty to the exploiter if the funds were returned. Stay tuned for further updates,” dForce said.