Bitrabo Editorial
An exploit targeted Dough Finance, a DeFi protocol enabling non-custodial liquidity markets, causing a breach that led to the theft of almost $2 million in user funds. The project is actively striving to address the issue quickly.
Significant Loss at Dough Finance Protocol
Activity regarding Dough Finance came to light on July 12, as Cyvers, a Web3 blockchain security platform, detected multiple suspicious transactions linked to the DeFi protocol. The hacker managed to exploit Dough Finance’s smart contract and made off with $1.8 million in USDC, converting it to Ethereum (ETH) and acquiring 608 ETH.
Olympix, another Web3 security provider, pinpointed the cause of the breach as a flaw within the ConnectorDeleverageParaswap contract, allowing the attacker to bypass checks on the flash loan call data. The exploit permitted the hacker to alter the contract’s data and transfer the funds to an Externally Owned Account (EOA), resulting in a subsequent series of attacks.
The repeated breaches led to an additional loss of $141,000 in USDC, bringing the total stolen amount to $1.96 million. However, Aave’s lending pools were confirmed to be unaffected by the attacks.
DeFi Projects Under Attack
Subsequent to the initial reports, Dough Finance acknowledged and addressed the attack, advising users to withdraw their remaining funds. The project later declared that it had identified and closed the exploit.
Several Dough DeFi Smart Accounts (DSAs) were compromised in a sophisticated attack, as reported by the project. They are currently engaged in efforts to rectify the situation, recover the funds, and compensate affected investors.
The team communicated with the exploiter via an on-chain message, notifying them of contact with relevant authorities. Additionally, the protocol extended an offer to discuss potential rewards with the attacker for disclosing the vulnerability, specifying the address for fund transfer.
The exploiter was given a deadline until July 15, 2024, at 23:00 UTC to respond to the DeFi protocol. Failure to comply would lead to further action to recover the misappropriated funds through legal channels.
DeFi projects have been a prime target for scammers, with recent phishing attacks affecting various platforms like Compound Finance. These attacks involved a DNS domain infiltration redirecting users to fraudulent websites designed to drain funds from unsuspecting visitors.
Customers were cautioned against interacting with these sites until the issue is thoroughly resolved.
