dForce DeFi Protocol Loses $3.65 Million in Reentrancy Attack

Summary

On February 9, 2023, dForce, a DeFi protocol, fell victim to a reentrancy attack. The attacker exploited a known vulnerability in the smart contract, resulting in a loss of approximately $3.6 million.

Attackers

The identity of the attacker is unknown. The attackers utilized the following addresses:

Arbitrum:

Optimism:

Losses

~$3.65 million total

Arbitrum:

  • 1,236.65 ETH (~1,893,000 USD)
  • 719,437 USX

Optimism:

  • 1,037,492 USDC

source

Timeline

  • February 09, 2023, 11:10:22 PM +UTC The hacker exploited a reentrancy vulnerability.
  • February 10, 2023, 04:31 AM +UTC The dForsce team announced the hack.
  • February 13, 2023, 03:00:27 AM +UTC Exploiter returned funds on Arbitrum.
  • February 13, 2023, 03:00:27 AM +UTC Exploiter returned funds on Optimism.

Security Failure Causes

Several reasons according to Neptune Mutual report:

  • Team’s Negligence: The attack was made possible by a known reentrancy vulnerability that was not addressed during the audit conducted by dForce.
  • Reliance on External Functions: The reentrancy attack exploited the dependence on external view functions, which reported incorrect state values when reentered.
  • Absence of Reentrancy Locks: The absence of reentrancy locks in the smart contract facilitated the attack. These locks could prevent multiple invocations of a contract function within the same call chain.