Another DeFi protocol fell victim to an exploit Friday morning. Dough Finance, an open-source protocol for creating non-custodial liquidity markets, was hit by a flash loan attack that cost nearly $2 million in user funds. The project’s team announced that they are working to resolve the situation quickly.
Dough Finance Protocol Loses $1.96 Million
On July 12, online reports about Dough Finance’s activities were called in. Web3 blockchain security platform Cyvers informed us that it had detected several suspicious transactions related to the DeFi protocol.
According to the report, the hacker manipulated Dough Finance’s smart contract and stole $1.8 million in USDC. The attacker, funded via the zero-knowledge (ZK) protocol Railgun, exchanged the embezzled funds to Ethereum (ETH), initially receiving 608 ETH.
Olympix, a Web3 security provider, revealed that the exploit occurred due to “call data within the ConnectorDeleverageParaswap contract”. Apparently, the contract did not properly check the flash loan call data.
The unvalidated call data allowed the operator to manipulate the contract data and send the funds to an Externally Owned Account (EAO). The first reports were followed by a second batch to attack occurred.
Dough Finance's funds flow after the exploit. Source: Breadcrumbs.app on X
These attacks resulted in the loss of another $141,000 in USDC, bringing the total crypto heist to $1.96 million. Nevertheless, Cyvers confirmed that the pools of the lending protocol Aave remained unaffected.
Scammers Target DeFi Projects
After initial reports, the DeFi protocol acknowledged the attack and urged users to withdraw their remaining funds from the protocol. Later, Dough Finance announced it had identified and closed the exploit.
The project confirmed that “a few early Dough DeFi Smart Accounts (DSAs)” were victims of an advanced exploitFurthermore, the report assured that the Dough Finance team is actively working to address the incident, recover the funds and compensate the investors.
Online reports revealed that the team reached out to the operator. In an on-chain message, the Defi protocol informed the operator that it had contacted the proper authorities.
The team's on-chain message to the exploiter. Source: Evgenii on X
The team also offered to discuss a reward if the attacker “exploited this vulnerability as a white or grey hat,” adding the address where the funds should be transferred directly to.
The operator has until Monday, July 15, 2024 at 23:00 UTC to contact the DeFi protocol. According to the message, if the team does not receive a response, they will “assume that you have misappropriated the funds with unlawful intent and will pursue all available criminal, legal, and administrative avenues” to recover the embezzled funds.
Scammers have been heavily targeting the sector. This week, several DeFi projects, including Compound Finance, were compromised in a phishing attack. Apparently, the projects were victims of a DNS domain attack that redirected users to a fake website.
The copy site was a draining tool that could drain users’ funds if they interacted with it. As a result, the project teams urged customers not to interact with the sites until further notice.
Ethereum is trading at $3,126 on the three-day chart. Source: ETHUSDT on TradingView
Main image from Unsplash.com, chart from TradingView.com