dForce DeFi Protocol Loses $3.65 Million in Reentrancy Attack

Summary

On February 9, 2023, dForce, a DeFi protocol, fell victim to a reentrancy attack. The attacker exploited a known vulnerability in the smart contract, resulting in a loss of approximately $3.6 million.

Attackers

The identity of the attacker is unknown. The attackers utilized the following addresses:

Arbitrum:

• 0xe0d551017c0111ac11108641771897aa33b2817c

Optimism:

• 0xe0d551017c0111ac11108641771897aa33b2817c

Losses

~$3.65 million total

Arbitrum:

• 1,236.65 ETH (~1,893,000 USD)
• 719,437 USX

Optimism:

• 1,037,492 USDC

source

Timeline

• February 09, 2023, 11:10:22 PM +UTC The hacker exploited a reentrancy vulnerability.
• February 10, 2023, 04:31 AM +UTC The dForsce team announced the hack.
• February 13, 2023, 03:00:27 AM +UTC Exploiter returned funds on Arbitrum.
• February 13, 2023, 03:00:27 AM +UTC Exploiter returned funds on Optimism.

Security Failure Causes

Several reasons according to Neptune Mutual report:

• Team’s Negligence: The attack was made possible by a known reentrancy vulnerability that was not addressed during the audit conducted by dForce.
• Reliance on External Functions: The reentrancy attack exploited the dependence on external view functions, which reported incorrect state values when reentered.
• Absence of Reentrancy Locks: The absence of reentrancy locks in the smart contract facilitated the attack. These locks could prevent multiple invocations of a contract function within the same call chain.