DeFi Protocol Dough Finance Suffers $1.8M Loss in Flash Loan Attack   

Hacker

The attacker leveraged unvalidated calldata, leading to the theft of 608 ETH. 

Decentralized finance (DeFi) protocol Dough Finance has fallen victim to a flash loan attack, resulting in a loss of $1.8 million worth of Ether (ETH). The incident has raised concerns about the security of the DeFi platform. 

On July 12, Web3 security company Cyvers identified several suspicious transactions. The blockchain security firm quickly contacted the lending protocol Aave to assess any potential impact on its pools. Following a thorough investigation, Cyvers confirmed that Aave’s pools remained secure and were not affected by the suspicious activity.  

Cyvers reported that the attacker utilized the zero-knowledge (ZK) protocol Railgun to facilitate the funding and subsequently exchanged the stolen USD Coin.  

Hacker Exploits Smart Contract

Web3 security firm Olympix pointed out the vulnerability stemmed from unvalidated calldata in the “ConnectorDeleverageParaswap” contract.  

Commenting on the attack, the firm said:  

“The contract didn’t properly check the data it received during flash loan calls, allowing the attacker to manipulate it for their benefit.”  

Olympix noted that individuals who deposited funds into the compromised DeFi contract might be affected. However, the security company emphasized that the hack did not impact Aave’s pools.  

The Web3 security firm also recommended that Dough Finance users withdraw their funds to a secure wallet. Additionally, Cyvers advised users to stay updated with announcements from the Dough Finance team and refrain from interacting with the protocol until the issue is resolved.   

Nearly $1 Billion Lost to Security Incidents this Year  

Although the losses from the Dough Finance hack were almost $2 million, the broader crypto space had already seen nearly $1 billion in digital assets lost due to various incidents within the industry.  

On June 4, blockchain security firm CertiK released a report detailing that on-chain incident losses had reached $821 million since the beginning of the year. The majority of these losses were due to phishing attacks and private key compromises. 

CertiK co-founder Ronghui Gu emphasized the critical importance of adopting multi-factor authentication measures, such as two-factor authentication (2FA) and security keys.   

On June 19, crypto exchange giant Kraken revealed it fell victim to a bug-related exploit that resulted in approximately $3 million in losses.   

Similarly, on March 30, 2024, the DeFi platform Prisma Finance was compromised in an exploit that resulted in the loss of approximately $10 million worth of crypto assets.