Another DeFi protocol was vulnerable to exploitation on Friday morning. Dough Finance, an open-source protocol for creating a non-custodial liquidity market, fell victim to a flash loan attack that stole nearly $2 million from users. The project team said they are working to fix the situation as quickly as possible.
Dough Finance Protocol Loses $1.96 Million
On July 12, reports of Duff Finance’s activities appeared online. Cyvers, a Web3 blockchain security platform, alerted us it has spotted many suspect DeFi transactions.
According to the report, the hacker stole $1.8 million in USDC by manipulating Dough Finance’s smart contract. The attacker transferred the stolen money to Ethereum (ETH), first gaining 608 ETH, using funding from the zero-knowledge (ZK) protocol Railgun.
Web3 Security Company Olympix disclosed that “call data within the ConnectorDeleverageParaswap contract” caused the exploit. The flash loan call information in the contract was not fully verified.
Dough Finance’s funds flow after the exploit. Source: Breadcrumbs.app on X
Hackers target DeFi projects
The DeFi protocol recognized the attack after the first reports and advised users to withdraw any remaining cash from the protocol. Dough Finance then declared that it had detected and shut down the exploit.
According to the initiative, a clever exploit “affected some early Doe DeFi Smart Accounts (DSAs)”. The post states that Doe Finance’s staff is actively working to resolve the situation, recover funds, and reimburse investors.
According to internet reports, the team contacted the exploiter. The DeFi protocol informed the exploiter via an on-chain message it was in contact with the relevant authorities.
The team’s on-chain message to the exploiter. Source: Evgenii on X
The team revealed the address where payments should be sent immediately and offered a bounty if an attacker “exploits this vulnerability in either a white or grey hat way.”
The hacker has until Monday, July 15, 2024, 23:00 UTC to contact the DeFi protocol. The statement said that if we do not receive a response, they will “assume that you have seized the reserves for illegal purposes and will seek all available criminal, legal and official avenues to recover the misused funds”.
Hackers have actively targeted this sector. This week, a phishing attempt to put several DeFi projects at risk, including Compound Finance. A DNS domain assault that diverted clients to a fake site focused on these ventures.
If users connect to the copied website, it is a money stealing tool that can steal their money. Therefore, the project teams advised customers not to contact the websites until further notice.
