DeFi-focused altcoin project dForce (DF) lost $3.6 million in a hack that repeatedly pulled funding from the smart contract.
Altcoin hack was the latest vulnerability to occur in Curve Finance
According to reports, a hacker stole more than $3.6 million from dForce in a Curve reentry attack he ran on Arbitrum and Optimism. The DeFi project confirmed the incident in a Twitter post and reported that it is pausing their contracts to prevent further damage.
DeFi altcoin drops over 5%
The dForce (DF) price has only seen a 5% drop, possibly as the stolen funds have just been sold. At the time of writing, it is trading at $0.04381 amid ongoing selling.
Hacker targeted wstETH/ETH Curve vaults
The attack was apparently enabled by a reentry vulnerability that can occur when an attacker repeatedly calls a smart contract function and extracts assets from it before updating the contract internal state. This vulnerability can happen when there is an error in the smart contract code or the lack of appropriate security measures.
“On February 10, our wstETH/ETH Curve vaults on Arbitrum and Optimism were exploited and we paused all vaults immediately. The vulnerability was identified and the hack was specific to dForce’s wstETH/ETH-Curve vault.”
According to the two leading crypto security companies BlockSec and PeckShield, the total losses from the attack were about $3.6 million. Peckshiled noted that dForce lost about 1,236.65 ETH and 719,437 USX live from the Arbitrum second layer protocol.
PeckShield also highlighted that about 1,037,492 USDC stolen was at @optimismFND. Reports state that “their initial analysis showed that the root cause was an oracle price issue.” Total losses are approximately $1.91 million in Arbitrum and $1.73 million in Optimism.
How did the hack happen?
The reentry bug was present in a smart contract function used by dForce to calculate oracle prices on Arbitrum and Optimism when connected to Curve Finance. The custom function known as “get_virtual_price” is a command that gives an estimated oracle price and can be called by any protocol when connected to Curve. It is used to calculate the price of the liquidity pool token.
BlockSec’s director of security services, Matthew Jiang, said that all protocols are vulnerable, including dForce, which uses the “get_virtual_price” function to calculate oracle prices. He added that the problem was known to everyone and Curve did not affect him. Still, projects need to be more careful and take additional steps when estimating oracle prices, as they can be manipulated by malicious actors to perform reentry attacks.
Another high-profile hack of the day, which we quoted as Kriptokoin.com, occurred on Trust Wallet, a hot storage method that received praise from Binance CEO Changpeng Zhao.