dForce DeFi Protocol Loses $3.65 Million in Reentrancy Attack
Summary #
On February 9, 2023, dForce, a DeFi protocol, fell victim to a reentrancy attack. The attacker exploited a known vulnerability in the smart contract, resulting in a loss of approximately $3.6 million.
Attackers #
The identity of the attacker is unknown. The attackers utilized the following addresses:
Arbitrum:
Optimism:
Losses #
~$3.65 million total
Arbitrum:
- 1,236.65 ETH (~1,893,000 USD)
- 719,437 USX
Optimism:
- 1,037,492 USDC
Timeline #
- February 09, 2023, 11:10:22 PM +UTC The hacker exploited a reentrancy vulnerability.
- February 10, 2023, 04:31 AM +UTC The dForsce team announced the hack.
- February 13, 2023, 03:00:27 AM +UTC Exploiter returned funds on Arbitrum.
- February 13, 2023, 03:00:27 AM +UTC Exploiter returned funds on Optimism.
Security Failure Causes #
Several reasons according to Neptune Mutual report:
- Team’s Negligence: The attack was made possible by a known reentrancy vulnerability that was not addressed during the audit conducted by dForce.
- Reliance on External Functions: The reentrancy attack exploited the dependence on external view functions, which reported incorrect state values when reentered.
- Absence of Reentrancy Locks: The absence of reentrancy locks in the smart contract facilitated the attack. These locks could prevent multiple invocations of a contract function within the same call chain.