Another DeFi protocol fell victim to an exploit on Friday morning. Dough Finance, an open-source protocol to create non-custodial liquidity markets, suffered a flash loan attack that took nearly $2 million in user funds. The project’s team announced they are working to resolve the situation promptly.
Dough Finance Protocol Loses $1.96 Million
On July 12, online reports concerning activity from Dough Finance were called out. Web3 blockchain security platform Cyvers informed us that it had detected multiple suspicious transactions involving the DeFi protocol.
Per the report, the hacker manipulated Dough Finance’s smart contract and stole $1.8 million in USDC. The attacker, funded through the zero-knowledge (ZK) protocol Railgun, swapped the misappropriated funds to Ethereum (ETH), initially obtaining 608 ETH.
Olympix, a Web3 security provider, revealed that the exploit occurred due to “calldata within the ConnectorDeleverageParaswap contract.” Seemingly, the contract didn’t properly check the flash loan calls data.
The unvalidated calldata allowed the exploiter to manipulate the contract’s data and send the funds to an Externally Owned Account (EAO). Following the initial reports, a second batch of attacks occurred.
These attacks resulted in the loss of another $141,000 in USDC, raising the total crypto heist to $1.96 million. Nonetheless, Cyvers confirmed that lending protocol Aave’s pools remained unaffected.
Scammers Target DeFi Projects
After the initial reports, the DeFi protocol acknowledged the attack and urged users to withdraw their remaining funds from the protocol. Later, Dough Finance announced it had identified and closed the exploit.
The project confirmed that “a few early Dough DeFi Smart Accounts (DSAs)” were victim to a sophisticated exploit. Moreover, the post assured that Dough Finance’s team is actively working to address the incident, recover the funds, and make investors whole.
Online reports revealed that the team reached out to the exploiter. In an on-chain message, the Defi protocol informed the exploiter it had contacted the appropriate authorities.
The team also offered to discuss a bounty if the attacker had “exploited this vulnerability as a white or grey hat,” and attached the address where the funds should be directly transferred.
The exploiter has until Monday, July 15, 2024, at 23:00 UTC to contact the DeFi protocol. Per the message, if the team doesn’t receive an answer, they will “assume you appropriated the funds with unlawful intent and will pursue all criminal, legal, and administrative avenues available” to recover the misappropriated funds.
Scammers have heavily targeted the sector. This week, various DeFi projects, including Compound Finance, were compromised in a phishing attack. Seemingly, the projects were victims of a DNS domain attack that redirected users to a fake website.
The copy website was a drainer tool that could drain users’ funds if they interacted with it. As a result, the projects’ teams urged customers not to interact with the websites until further notice.
