Dough Finance, a decentralized finance (DeFi) protocol, lost $1.8 million in digital assets following a flash loan attack. On July 12, Web3 security firm Cyvers detected multiple suspicious transactions and confirmed that Aave pools were safe.
Despite this, Dough Finance was heavily impacted. The attacker utilized the zero-knowledge (ZK) protocol Railgun to fund the attack and swapped the stolen USD Coin (USDC) for 608 ETH, valued at approximately $1.8 million.
Also, Web3 security provider Olympix identified the root cause of the breach as unvalidated calldata within the “ConnectorDeleverageParaswap” contract. The contract failed to properly check the data received during flash loan calls, allowing the attacker to exploit this vulnerability and steal the funds. Olympix indicated that those who deposited funds in the affected contract might be impacted.
#OlympixAlert
Attention @DoughFina Users: Exploit Alert!
Dough finance has been exploited for roughly ~$1.8 million in USDC! Here’s a breakdown of the situation based on available information:
What Happened?
The exploit stemmed from unvalidated calldata within the… pic.twitter.com/NBcCwsMl10
— Olympix (@Olympix_ai) July 12, 2024
Follow-Up Actions by The Dough Finance Hacker
Following the initial breach, the attacker conducted another attack on Dough Finance, resulting in an additional loss of $140,498, bringing the total loss to $1.96 million. Users with funds deposited in the compromised Dough Finance contracts were most affected by this breach. In contrast, users associated with Aave remained unaffected, as the attack targeted Dough Finance specifically and did not involve any Aave pools.
Advisory for Users
Web3 security provider Olympix advised Dough Finance users to consider withdrawing their funds to a secure wallet. They also recommended that users monitor announcements from the Dough Finance team and avoid interacting with the protocol until the situation is resolved. CertiK also provided insights into the breach, noting that the attacker’s swift conversion of stolen USDC into ETH complicated efforts to trace and recover the funds.
According to a report by blockchain security firm Immunefi, the amount of money lost due to scams and hacks in the cryptocurrency sector witnessed a sharp increase in the second quarter of 2024. The losses soared to over $572 million in this period, more than double the $220 million recorded in the corresponding quarter 2023. The majority of these financial losses stemmed from breaches in centralized exchanges.